Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0FF25200C78 for ; Thu, 18 May 2017 23:39:08 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0E577160BB5; Thu, 18 May 2017 21:39:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 52983160B9D for ; Thu, 18 May 2017 23:39:07 +0200 (CEST) Received: (qmail 54565 invoked by uid 500); 18 May 2017 21:39:06 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 54554 invoked by uid 99); 18 May 2017 21:39:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 May 2017 21:39:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 01EA7C061B for ; Thu, 18 May 2017 21:39:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id ibSSSfq_KeEj for ; Thu, 18 May 2017 21:39:05 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id F3B255F341 for ; Thu, 18 May 2017 21:39:04 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 95FF5E0BDF for ; Thu, 18 May 2017 21:39:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4544221B58 for ; Thu, 18 May 2017 21:39:04 +0000 (UTC) Date: Thu, 18 May 2017 21:39:04 +0000 (UTC) From: "Robert Kanter (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (YARN-6602) Impersonation does not work if standby RM is contacted first MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 18 May 2017 21:39:08 -0000 [ https://issues.apache.org/jira/browse/YARN-6602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16016502#comment-16016502 ] Robert Kanter commented on YARN-6602: ------------------------------------- In fact, you wouldn't want to re-use the proxy object among multiple users; unless you want userA to unknowingly submit things as userB :) > Impersonation does not work if standby RM is contacted first > ------------------------------------------------------------ > > Key: YARN-6602 > URL: https://issues.apache.org/jira/browse/YARN-6602 > Project: Hadoop YARN > Issue Type: Bug > Components: client > Affects Versions: 3.0.0-alpha3 > Reporter: Robert Kanter > Assignee: Robert Kanter > Priority: Blocker > Attachments: YARN-6602.001.patch, YARN-6602.002.patch > > > When RM HA is enabled, impersonation does not work correctly if the Yarn Client connects to the standby RM first. When this happens, the impersonation is "lost" and the client does things on behalf of the impersonator user. We saw this with the OOZIE-1770 Oozie on Yarn feature. > I need to investigate this some more, but it appears to be related to delegation tokens. When this issue occurs, the tokens have the owner as "oozie" instead of the actual user. On a hunch, we found a workaround that explicitly adding a correct RM HA delegation token fixes the problem: > {code:java} > org.apache.hadoop.yarn.api.records.Token token = yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf)); > org.apache.hadoop.security.token.Token token2 = new org.apache.hadoop.security.token.Token(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService())); > UserGroupInformation.getCurrentUser().addToken(token2); > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org