Return-Path: <yarn-issues-return-114545-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id ABD81200CA3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 18 May 2017 03:04:09 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id AA3B3160BD3; Thu, 18 May 2017 01:04:09 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id F0BB5160BBA
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 18 May 2017 03:04:08 +0200 (CEST)
Received: (qmail 99157 invoked by uid 500); 18 May 2017 01:04:08 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 99145 invoked by uid 99); 18 May 2017 01:04:08 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 May 2017 01:04:08 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 8B718D0C9E
	for <yarn-issues@hadoop.apache.org>; Thu, 18 May 2017 01:04:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id TZoJQlZn799l for <yarn-issues@hadoop.apache.org>;
	Thu, 18 May 2017 01:04:07 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id B832F5FC84
	for <yarn-issues@hadoop.apache.org>; Thu, 18 May 2017 01:04:06 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 47FB9E0D7F
	for <yarn-issues@hadoop.apache.org>; Thu, 18 May 2017 01:04:06 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id DFA72263AD
	for <yarn-issues@hadoop.apache.org>; Thu, 18 May 2017 01:04:04 +0000 (UTC)
Date: Thu, 18 May 2017 01:04:04 +0000 (UTC)
From: "Robert Kanter (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.13072093.1494870641000.236217.1495069444914@Atlassian.JIRA>
In-Reply-To: <JIRA.13072093.1494870641000@Atlassian.JIRA>
References: <JIRA.13072093.1494870641000@Atlassian.JIRA> <JIRA.13072093.1494870641807@jira-lw-us.apache.org>
Subject: [jira] [Updated] (YARN-6602) Impersonation does not work if standby
 RM is contacted first
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 18 May 2017 01:04:09 -0000


     [ https://issues.apache.org/jira/browse/YARN-6602?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Kanter updated YARN-6602:
--------------------------------
    Attachment: YARN-6602.002.patch

The 002 patch
- Fixes the (relevant) checkstyle warnings, including making {{RMProxy.user}} private.

> Impersonation does not work if standby RM is contacted first
> ------------------------------------------------------------
>
>                 Key: YARN-6602
>                 URL: https://issues.apache.org/jira/browse/YARN-6602
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: client
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>         Attachments: YARN-6602.001.patch, YARN-6602.002.patch
>
>
> When RM HA is enabled, impersonation does not work correctly if the Yarn Client connects to the standby RM first.  When this happens, the impersonation is "lost" and the client does things on behalf of the impersonator user.  We saw this with the OOZIE-1770 Oozie on Yarn feature.
> I need to investigate this some more, but it appears to be related to delegation tokens.  When this issue occurs, the tokens have the owner as "oozie" instead of the actual user.  On a hunch, we found a workaround that explicitly adding a correct RM HA delegation token fixes the problem:
> {code:java}
> org.apache.hadoop.yarn.api.records.Token token = yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf));
> org.apache.hadoop.security.token.Token token2 = new org.apache.hadoop.security.token.Token(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
> UserGroupInformation.getCurrentUser().addToken(token2);
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org