hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jian He (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4126) RM should not issue delegation tokens in unsecure mode
Date Sat, 10 Dec 2016 01:46:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-4126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15736967#comment-15736967

Jian He commented on YARN-4126:

bq. Assuming that Oozie wants to keep supporting 2.x releases there must be an Oozie side
IIUC, since this is already reverted from branch-2, Oozie no longer requires a fix to support
2.x release.

To support 3.x which has this change. Oozie needs to have a fix.

My point is that the old behavior is a bug -- ( the logic is not matching its exception).
 Exception says delegationToken can only be done in kerberos env, but the logic returns true
if it is unsecure env.  -- Isn't this self-conflicting ? 
      if (!isAllowedDelegationTokenOp()) {
        throw new IOException(
            "Delegation Token can be cancelled only with kerberos authentication");
My preference is to keep this in 3.x so that future apps on YARN are not repeating the same
mistake as Ozzie, and Ozzie should fix this to support 3.x line
On the other hand, if other folks think it's more important to keep it compatible and with
minimal surprise for 3.x, I'm also ok to revert it.

> RM should not issue delegation tokens in unsecure mode
> ------------------------------------------------------
>                 Key: YARN-4126
>                 URL: https://issues.apache.org/jira/browse/YARN-4126
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Bibin A Chundatt
>             Fix For: 3.0.0-alpha1
>         Attachments: 0001-YARN-4126.patch, 0002-YARN-4126.patch, 0003-YARN-4126.patch,
0004-YARN-4126.patch, 0005-YARN-4126.patch, 0006-YARN-4126.patch
> ClientRMService#getDelegationToken is currently  returning a delegation token in insecure
mode. We should not return the token if it's in insecure mode. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message