You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Zhijie Shen (JIRA)" <ji...@apache.org> on 2014/11/03 00:50:34 UTC

[jira] [Comment Edited] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer

    [ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194071#comment-14194071 ] 

Zhijie Shen edited comment on YARN-2798 at 11/2/14 11:50 PM:
-------------------------------------------------------------

Created patch to remove the translation logic from the client, and at the client side we just need to ensure _HOST is going to be mapped to the right timeline server. Add the test cases to verify the responsibility at both the client and server-side DT creating.

Please note that to make this work, core-site.xml that is presented to the timeline server should have proper auth_to_local configuration.


was (Author: zjshen):
Created patch to remove the translation logic from the client, and at the client side we just need to ensure _HOST is going to be mapped to the right timeline server. Add the test cases to verify the responsibility at both the client and server-side DT creating.

Please note that to make this work, core-site.xml and yarn-site.xml that are presented to the timeline server should have proper auth_to_local and rm principal configurations.

> YarnClient doesn't need to translate Kerberos name of timeline DT renewer
> -------------------------------------------------------------------------
>
>                 Key: YARN-2798
>                 URL: https://issues.apache.org/jira/browse/YARN-2798
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineserver
>            Reporter: Arpit Gupta
>            Assignee: Zhijie Shen
>            Priority: Blocker
>         Attachments: YARN-2798.1.patch
>
>
> Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)