You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Yongjun Zhang (JIRA)" <ji...@apache.org> on 2015/02/01 07:41:35 UTC

[jira] [Commented] (YARN-3021) YARN's delegation-token handling disallows certain trust setups to operate properly

    [ https://issues.apache.org/jira/browse/YARN-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14300093#comment-14300093 ] 

Yongjun Zhang commented on YARN-3021:
-------------------------------------

Hi [~qwertymaniac],

Thanks a lot for your review and feedback! I just uploaded rev 002 to address them,

Right now my fix is to change {{RMAppManager#submitApplication}} (that calls {{DeletationTokenRenewer#addApplicationAsync}}) to check the config property setting. Because I saw that it's the method that gets called when distcp submits job. 

There is another place in {{RMAppImpl#transition}} that calls {{DeletationTokenRenewer#addApplicationSync}}, which I'm not familiar with.

I wonder if you could comment on that?

Thanks.




> YARN's delegation-token handling disallows certain trust setups to operate properly
> -----------------------------------------------------------------------------------
>
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, YARN-3021.patch
>
>
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that needs to access B's HDFS (such as a DistCp), the operation fails in the RM, as it attempts a renewDelegationToken(…) synchronously during application submission (to validate the managed token before it adds it to a scheduler for automatic renewal). The call obviously fails cause B realm will not trust A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously and once the renewal attempt failed we simply ceased to schedule any further attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on the failure and skip the scheduling alone, rather than bubble back an error to the client, failing the app submission. This way the old behaviour is retained.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)