You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Tarun Parimi (Jira)" <ji...@apache.org> on 2021/06/10 06:13:00 UTC

[jira] [Updated] (YARN-10816) Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple

     [ https://issues.apache.org/jira/browse/YARN-10816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tarun Parimi updated YARN-10816:
--------------------------------
    Attachment: YARN-10816.001.patch

> Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple
> -------------------------------------------------------------------------------------------
>
>                 Key: YARN-10816
>                 URL: https://issues.apache.org/jira/browse/YARN-10816
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineclient
>    Affects Versions: 3.4.0
>            Reporter: Tarun Parimi
>            Assignee: Tarun Parimi
>            Priority: Major
>         Attachments: YARN-10816.001.patch
>
>
> YARN-10339 introduced changes to ensure that PseudoAuthenticationHandler is used in TimelineClient when yarn.timeline-service.http-authentication.type=simple
> PseudoAuthenticationHandler doesn't support delegation token ops like get, renew and cancel since those ops strictly require SPNEGO auth to work. We don't use timeline delegation tokens when simple auth is used.
> Prior to YARN-10339, Timeline delegation tokens were unnecessarily used when yarn.timeline-service.http-authentication.type=simple, but hadoop security was enabled. After YARN-10339, the tokens are not used when yarn.timeline-service.http-authentication.type=simple.
> In a rolling upgrade scenario, we can have a client  which doesn't have YARN-10339 changes submitting an application and requests a Timeline delegation token even when yarn.timeline-service.http-authentication.type=simple. RM on the other hand can have YARN-10339 changes and so will result in error while trying to renew the token with PseudoAuthenticationHandler. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org