hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6602) Impersonation does not work if standby RM is contacted first
Date Thu, 18 May 2017 21:39:04 GMT

    [ https://issues.apache.org/jira/browse/YARN-6602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16016502#comment-16016502
] 

Robert Kanter commented on YARN-6602:
-------------------------------------

In fact, you wouldn't want to re-use the proxy object among multiple users; unless you want
userA to unknowingly submit things as userB :)

> Impersonation does not work if standby RM is contacted first
> ------------------------------------------------------------
>
>                 Key: YARN-6602
>                 URL: https://issues.apache.org/jira/browse/YARN-6602
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: client
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>         Attachments: YARN-6602.001.patch, YARN-6602.002.patch
>
>
> When RM HA is enabled, impersonation does not work correctly if the Yarn Client connects
to the standby RM first.  When this happens, the impersonation is "lost" and the client does
things on behalf of the impersonator user.  We saw this with the OOZIE-1770 Oozie on Yarn
feature.
> I need to investigate this some more, but it appears to be related to delegation tokens.
 When this issue occurs, the tokens have the owner as "oozie" instead of the actual user.
 On a hunch, we found a workaround that explicitly adding a correct RM HA delegation token
fixes the problem:
> {code:java}
> org.apache.hadoop.yarn.api.records.Token token = yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf));
> org.apache.hadoop.security.token.Token token2 = new org.apache.hadoop.security.token.Token(token.getIdentifier().array(),
token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
> UserGroupInformation.getCurrentUser().addToken(token2);
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message