hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
Date Sat, 02 May 2015 00:16:07 GMT

    [ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524357#comment-14524357
] 

Hadoop QA commented on YARN-2892:
---------------------------------

\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch |  15m 11s | Pre-patch trunk compilation is healthy. |
| {color:green}+1{color} | @author |   0m  0s | The patch does not contain any @author tags.
|
| {color:green}+1{color} | tests included |   0m  0s | The patch appears to include 1 new
or modified test files. |
| {color:green}+1{color} | javac |   7m 45s | There were no new javac warning messages. |
| {color:green}+1{color} | javadoc |   9m 51s | There were no new javadoc warning messages.
|
| {color:green}+1{color} | release audit |   0m 23s | The applied patch does not increase
the total number of release audit warnings. |
| {color:green}+1{color} | checkstyle |   0m 45s | There were no new checkstyle issues. |
| {color:green}+1{color} | whitespace |   0m  0s | The patch has no lines that end in whitespace.
|
| {color:green}+1{color} | install |   1m 34s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse |   0m 32s | The patch built with eclipse:eclipse.
|
| {color:green}+1{color} | findbugs |   1m 15s | The patch does not introduce any new Findbugs
(version 2.0.3) warnings. |
| {color:red}-1{color} | yarn tests |  52m  6s | Tests failed in hadoop-yarn-server-resourcemanager.
|
| | |  89m 26s | |
\\
\\
|| Reason || Tests ||
| Failed unit tests | hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesFairScheduler
|
|   | hadoop.yarn.server.resourcemanager.TestAppManager |
|   | hadoop.yarn.server.resourcemanager.scheduler.fair.TestAllocationFileLoaderService |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL | http://issues.apache.org/jira/secure/attachment/12684732/YARN-2892.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / d3d019c |
| hadoop-yarn-server-resourcemanager test log | https://builds.apache.org/job/PreCommit-YARN-Build/7584/artifact/patchprocess/testrun_hadoop-yarn-server-resourcemanager.txt
|
| Test Results | https://builds.apache.org/job/PreCommit-YARN-Build/7584/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf903.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep
3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output | https://builds.apache.org/job/PreCommit-YARN-Build/7584/console |


This message was automatically generated.

> Unable to get AMRMToken in unmanaged AM when using a secure cluster
> -------------------------------------------------------------------
>
>                 Key: YARN-2892
>                 URL: https://issues.apache.org/jira/browse/YARN-2892
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>            Reporter: Sevada Abraamyan
>            Assignee: Sevada Abraamyan
>         Attachments: YARN-2892.patch, YARN-2892.patch, YARN-2892.patch
>
>
> An AMRMToken is retrieved from the ApplicationReport by the YarnClient. 
> When the RM creates the ApplicationReport and sends it back to the client it makes a
simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport
in RMAppImpl).This security check verifies that the user who submitted the original application
is the same user who is requesting the ApplicationReport. If they are indeed the same user
then it includes the AMRMToken, otherwise it does not include it.
> The problem arises from the fact that when an application is submitted, the RM  saves
the short username of the user who created the application (See submitApplication in ClientRmService).
Afterwards when the ApplicationReport is requested, the system tries to match the full username
of the requester against the previously stored short username. 
> In a secure cluster using Kerberos this check fails because the principle is stripped
from the username when we request a short username. So for example the short username might
be "Foo" whereas the full username is "Foo@Company.com"
> Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message