hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3287) TimelineClient kerberos authentication failure uses wrong login context.
Date Tue, 21 Apr 2015 22:20:59 GMT

    [ https://issues.apache.org/jira/browse/YARN-3287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14505910#comment-14505910

Zhijie Shen commented on YARN-3287:

It breaks the timeline access control of distributed shell. In distributed shell AM:

    if (conf.getBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED,
      // Creating the Timeline Client
      timelineClient = TimelineClient.createTimelineClient();
    } else {
      timelineClient = null;
      LOG.warn("Timeline service is not enabled");

      ugi.doAs(new PrivilegedExceptionAction<TimelinePutResponse>() {
        public TimelinePutResponse run() throws Exception {
          return timelineClient.putEntities(entity);

This Jira changes the timeline client to get the right ugi at serviceInit, but DS AM still
doesn't use submitter ugi to init timeline client, but use the ugi for each put entity call.
It result in the wrong user of the put request.

> TimelineClient kerberos authentication failure uses wrong login context.
> ------------------------------------------------------------------------
>                 Key: YARN-3287
>                 URL: https://issues.apache.org/jira/browse/YARN-3287
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jonathan Eagles
>            Assignee: Daryn Sharp
>             Fix For: 2.7.0
>         Attachments: YARN-3287.1.patch, YARN-3287.2.patch, YARN-3287.3.patch, timeline.patch
> TimelineClientImpl:doPosting is not wrapped in a doAs, which can cause failure for yarn
clients to create timeline domains during job submission.

This message was sent by Atlassian JIRA

View raw message