hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3021) YARN's delegation-token handling disallows certain trust setups to operate properly
Date Sun, 01 Feb 2015 09:41:35 GMT

    [ https://issues.apache.org/jira/browse/YARN-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14300129#comment-14300129
] 

Hadoop QA commented on YARN-3021:
---------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12695793/YARN-3021.002.patch
  against trunk revision ffc75d6.

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 2 new or modified
test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 javadoc{color}.  There were no new javadoc warning messages.

    {color:green}+1 eclipse:eclipse{color}.  The patch built with eclipse:eclipse.

    {color:red}-1 findbugs{color}.  The patch appears to introduce 13 new Findbugs (version
2.0.3) warnings.

        {color:red}-1 release audit{color}.  The applied patch generated 1 release audit warnings.

    {color:red}-1 core tests{color}.  The patch failed these unit tests in hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager:

                  org.apache.hadoop.conf.TestJobConf
                  org.apache.hadoop.mapreduce.TestLargeSort
                  org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesAppsModification
                  org.apache.hadoop.yarn.server.resourcemanager.security.TestAMRMTokens
                  org.apache.hadoop.yarn.server.resourcemanager.security.TestDelegationTokenRenewer
                  org.apache.hadoop.yarn.server.resourcemanager.TestWorkPreservingRMRestart
                  org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebappAuthentication
                  org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens
                  org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication
                  org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart
                  org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization

                                      The test build failed in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common


Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6480//testReport/
Release audit warnings: https://builds.apache.org/job/PreCommit-YARN-Build/6480//artifact/patchprocess/patchReleaseAuditProblems.txt
Findbugs warnings: https://builds.apache.org/job/PreCommit-YARN-Build/6480//artifact/patchprocess/newPatchFindbugsWarningshadoop-mapreduce-client-core.html
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6480//console

This message is automatically generated.

> YARN's delegation-token handling disallows certain trust setups to operate properly
> -----------------------------------------------------------------------------------
>
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, YARN-3021.patch
>
>
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, and B trusts
COMMON (one way trusts both), and both A and B run HDFS + YARN clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that needs to
access B's HDFS (such as a DistCp), the operation fails in the RM, as it attempts a renewDelegationToken(…)
synchronously during application submission (to validate the managed token before it adds
it to a scheduler for automatic renewal). The call obviously fails cause B realm will not
trust A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously and once
the renewal attempt failed we simply ceased to schedule any further attempts of renewals,
rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on the failure
and skip the scheduling alone, rather than bubble back an error to the client, failing the
app submission. This way the old behaviour is retained.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message