You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2014/06/10 01:34:01 UTC

[jira] [Commented] (OOZIE-1871) Investigate if we can propagate the delegation token to the action conf from the Oozie server instead of action

    [ https://issues.apache.org/jira/browse/OOZIE-1871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14025930#comment-14025930 ] 

Robert Kanter commented on OOZIE-1871:
--------------------------------------

It looks like current Hadoop 2's don't actually require us to propagate the delegation token.  The UserGroupInformation automatically loads the tokens from the environment variable.  For example, I put this code in a Java action with the HCat Credentials:
{code:java}
Collection<Token<? extends TokenIdentifier>> tokens = UserGroupInformation.getCurrentUser().getTokens();
System.out.println("AAA current user = " + UserGroupInformation.getCurrentUser());
System.out.println("num tokens = " + tokens.size());
for (Token token : tokens) {
         System.out.println("\t " + token.getKind().toString());
}
{code}
And it printed out:
{noformat}
AAA current user = systest (auth:SIMPLE)
num tokens = 5
         mapreduce.job
	 MR_DELEGATION_TOKEN
	 HDFS_DELEGATION_TOKEN
	 HIVE_DELEGATION_TOKEN
	 RM_DELEGATION_TOKEN
{noformat}
So all the tokens were loaded automatically.  (The Java action doesn't do anything with the tokens out-of-the-box, so they weren't propagated like we do in the other actions)

I'm not sure, but I think HADOOP-10164 added this, which was in Hadoop 2.3.0.  However, we still have to propagate the token to support older versions of Hadoop.

> Investigate if we can propagate the delegation token to the action conf from the Oozie server instead of action
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: OOZIE-1871
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1871
>             Project: Oozie
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>
> Currently, Oozie prepares a configuration for the action to use when launching MR jobs.  Oozie also provides an environment variable with the location of the tokens file.  It is up to the action's Main to:
> # Load the Configuration
> # Get the location of the Token file
> # Propagate the token file to the loaded Configuration
> # Pass the Configuration to the CLI/MR Job/etc
> This isn't too much of a problem for most actions because we handle this for the user, but for the Java action, it's 4 not-obvious steps.  We should investigate if we can make this one step by having the Configuration prepared by the Oozie server already have the token file propagated to it; then actions would have 2 steps:
> # Load the Configuration
> # Pass the Configuration to the CLI/MR Job/etc
> And the tokens would be handled automatically.
> We'd still have to provide the environment variable for backwards compatibility and flexibility reasons though.



--
This message was sent by Atlassian JIRA
(v6.2#6252)