hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3725) App submission via REST API is broken in secure mode due to Timeline DT service address is empty
Date Wed, 27 May 2015 21:40:28 GMT

    [ https://issues.apache.org/jira/browse/YARN-3725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14561795#comment-14561795
] 

Zhijie Shen commented on YARN-3725:
-----------------------------------

I'm proposing to do the following:

1. Short term fix for 2.7.1: Check if service address in timeline DT is empty or not. If empty,
we fall back to use the configured service address. It will make app submission via REST API
work in secure mode without additional DT process work unless users really want to renew the
DT from somewhere other than the configure address. It shouldn't be common as we usually only
setup one timeline server per YARN cluster.

2. Long term fix: we can do something similar to HDFS-6904. Let the client to pass in the
service address, and set token's service address at server side before serializing it into
a string. And this problem is not just limited to ATS. RM REST API doesn't set the service
address for RM DT too. It's better to seek for a common solution. For example, we can fix
DelegationTokenAuthenticationHandler to make all use cases of hadoop http auth component set
the service addr properly. One step further, even RPC protocol may have the similar problem.
For example, if we work with ApplicationClientProtocol directly, we should get an RM DT without
service address (correct me if I'm wrong).

Thoughts?

> App submission via REST API is broken in secure mode due to Timeline DT service address
is empty
> ------------------------------------------------------------------------------------------------
>
>                 Key: YARN-3725
>                 URL: https://issues.apache.org/jira/browse/YARN-3725
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager, timelineserver
>    Affects Versions: 2.7.0
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>            Priority: Blocker
>
> YARN-2971 changes TimelineClient to use the service address from Timeline DT to renew
the DT instead of configured address. This break the procedure of submitting an YARN app via
REST API in the secure mode.
> The problem is that service address is set by the client instead of the server in Java
code. REST API response is an encode token Sting, such that it's so inconvenient to deserialize
it and set the service address and serialize it again. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message