You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Krishan Goyal (Jira)" <ji...@apache.org> on 2023/02/15 12:40:00 UTC

[jira] [Commented] (YARN-9708) Yarn Router Support DelegationToken

    [ https://issues.apache.org/jira/browse/YARN-9708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17689098#comment-17689098 ] 

Krishan Goyal commented on YARN-9708:
-------------------------------------

[~slfan1989] how is client delegation token supported behind multiple router instances for clients using RPC ? 

I believe delegation token validation happens during RPC connection. 

If router instances are behind a load balancer, there is no direct RPC connection from client to Router right ? 

> Yarn Router Support DelegationToken
> -----------------------------------
>
>                 Key: YARN-9708
>                 URL: https://issues.apache.org/jira/browse/YARN-9708
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: router
>    Affects Versions: 3.4.0
>            Reporter: Xie YiFan
>            Assignee: Shilun Fan
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: Add_getDelegationToken_and_SecureLogin_in_router.patch, RMDelegationTokenSecretManager_storeNewMasterKey.svg, RouterDelegationTokenSecretManager_storeNewMasterKey.svg
>
>
> 1.we use router as proxy to manage multiple cluster which be independent of each other in order to apply unified client. Thus, we implement our customized AMRMProxyPolicy that doesn't broadcast ResourceRequest to other cluster.
> 2.Our production environment need kerberos. But router doesn't support SecureLogin for now.
> https://issues.apache.org/jira/browse/YARN-6539 desn't work. So we improvement it.
> 3.Some framework like oozie would get Token via yarnclient#getDelegationToken which router doesn't support. Our solution is that adding homeCluster to ApplicationSubmissionContextProto & GetDelegationTokenRequestProto. Job would be submitted with specified clusterid so that router knows which cluster to submit this job. Router would get Token from one RM according to specified clusterid when client call getDelegation meanwhile apply some mechanism to save this token in memory.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org