hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3021) YARN's delegation-token handling disallows certain trust setups to operate properly over DistCp
Date Mon, 09 Feb 2015 18:18:36 GMT

    [ https://issues.apache.org/jira/browse/YARN-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14312562#comment-14312562

Vinod Kumar Vavilapalli commented on YARN-3021:

bq. RM can simply inspect the incoming renewer specified in the token and skip renewing those
tokens if the renewer doesn't match it's own address. This way, we don't need an explicit
API in the submission context.
bq. Seems regardless of this jira, we could have do the above change, right? any catch?
I think this will work, and is a preferable solution to me. What do others think? /cc [~qwertymaniac]/[~jianhe]

bq. In our simple tests the app did run through successfully with such an approach, but there
was multiple factors we did not test for (app recovery, task failures, etc. which could be
impacted). Would it be better if we added in a morphed DelegationTokenRenewer (which does
NOP as part of actual renewal logic), instead of skipping adding in the renewer completely?
Never mind. I looked at the patch again, it would work, barring my other non-code comments.

> YARN's delegation-token handling disallows certain trust setups to operate properly over
> -----------------------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, and B trusts
COMMON (one way trusts both), and both A and B run HDFS + YARN clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that needs to
access B's HDFS (such as a DistCp), the operation fails in the RM, as it attempts a renewDelegationToken(…)
synchronously during application submission (to validate the managed token before it adds
it to a scheduler for automatic renewal). The call obviously fails cause B realm will not
trust A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously and once
the renewal attempt failed we simply ceased to schedule any further attempts of renewals,
rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on the failure
and skip the scheduling alone, rather than bubble back an error to the client, failing the
app submission. This way the old behaviour is retained.

This message was sent by Atlassian JIRA

View raw message