You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by va...@apache.org on 2019/01/23 00:46:17 UTC

[spark] branch branch-2.4 updated: [SPARK-26605][YARN] Update AM's credentials when creating tokens.

This is an automated email from the ASF dual-hosted git repository.

vanzin pushed a commit to branch branch-2.4
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-2.4 by this push:
     new 10d7713  [SPARK-26605][YARN] Update AM's credentials when creating tokens.
10d7713 is described below

commit 10d7713f1259d4ba49020bb880ded5218ece55fb
Author: Marcelo Vanzin <va...@cloudera.com>
AuthorDate: Tue Jan 22 16:46:00 2019 -0800

    [SPARK-26605][YARN] Update AM's credentials when creating tokens.
    
    This ensures new executors in client mode also get the new tokens,
    instead of being started with potentially expired tokens.
    
    Closes #23523 from vanzin/SPARK-26605.
    
    Authored-by: Marcelo Vanzin <va...@cloudera.com>
    Signed-off-by: Marcelo Vanzin <va...@cloudera.com>
---
 .../spark/deploy/yarn/security/AMCredentialRenewer.scala   | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/AMCredentialRenewer.scala b/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/AMCredentialRenewer.scala
index bc8d47d..51ef7d3 100644
--- a/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/AMCredentialRenewer.scala
+++ b/resource-managers/yarn/src/main/scala/org/apache/spark/deploy/yarn/security/AMCredentialRenewer.scala
@@ -86,6 +86,16 @@ private[yarn] class AMCredentialRenewer(
     val originalCreds = UserGroupInformation.getCurrentUser().getCredentials()
     val ugi = doLogin()
 
+    ugi.doAs(new PrivilegedExceptionAction[Unit]() {
+      override def run(): Unit = {
+        startInternal(ugi, originalCreds)
+      }
+    })
+
+    ugi
+  }
+
+  private def startInternal(ugi: UserGroupInformation, originalCreds: Credentials): Unit = {
     val tgtRenewalTask = new Runnable() {
       override def run(): Unit = {
         ugi.checkTGTAndReloginFromKeytab()
@@ -104,8 +114,6 @@ private[yarn] class AMCredentialRenewer(
     val existing = ugi.getCredentials()
     existing.mergeAll(originalCreds)
     ugi.addCredentials(existing)
-
-    ugi
   }
 
   def stop(): Unit = {
@@ -136,8 +144,8 @@ private[yarn] class AMCredentialRenewer(
         // This shouldn't really happen, since the driver should register way before tokens expire
         // (or the AM should time out the application).
         logWarning("Delegation tokens close to expiration but no driver has registered yet.")
-        SparkHadoopUtil.get.addDelegationTokens(tokens, sparkConf)
       }
+      SparkHadoopUtil.get.addDelegationTokens(tokens, sparkConf)
     } catch {
       case e: Exception =>
         val delay = TimeUnit.SECONDS.toMillis(sparkConf.get(CREDENTIALS_RENEWAL_RETRY_WAIT))


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org