You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Sushanta Sen (Jira)" <ji...@apache.org> on 2021/03/04 06:58:00 UTC

[jira] [Updated] (YARN-10669) Failed to renew token: Kind: TIMELINE_DELEGATION_TOKEN on RM switch and TS restart

     [ https://issues.apache.org/jira/browse/YARN-10669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sushanta Sen updated YARN-10669:
--------------------------------
    Affects Version/s: 3.1.1

> Failed to renew token: Kind: TIMELINE_DELEGATION_TOKEN on RM switch and TS restart
> ----------------------------------------------------------------------------------
>
>                 Key: YARN-10669
>                 URL: https://issues.apache.org/jira/browse/YARN-10669
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineservice
>    Affects Versions: 3.1.1
>         Environment: 3 Nodes Hadoop Secure cluster with 3.1.1 version
>            Reporter: Sushanta Sen
>            Priority: Major
>
> Using delegation token rather than the keytab of the user when submitting job to yarn. 
> And this config yarn.timeline-service.enabled = true.
> So addTimelineDelegationToken will be executed. My Job has submitted successfully, but the question is my job failed when I Switched RM and TS restart because TIMELINE_DELEGATION_TOKEN renew failed. 
> Only RM switch and TS restart will reproduce the issue.
> RM log snippet below:
> {noformat}
> 2020-12-02 17:37:21,268 | WARN  | DelegationTokenRenewer #3402 | Unable to add the application to the delegation token renewer. | DelegationTokenRenewer.java:949
> java.io.IOException: Failed to renew token: Kind: TIMELINE_DELEGATION_TOKEN, Service: 192.168.0.2:8190, Ident: (TIMELINE_DELEGATION_TOKEN owner=bnn, renewer=mapred, realUser=executor, issueDate=1606880472758, maxDate=1607485272758, sequenceNumber=11581, masterKeyId=13)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.handleAppSubmitEvent(DelegationTokenRenewer.java:508)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.access$1100(DelegationTokenRenewer.java:80)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$DelegationTokenRenewerRunnable.handleDTRenewerAppSubmitEvent(DelegationTokenRenewer.java:945)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$DelegationTokenRenewerRunnable.run(DelegationTokenRenewer.java:922)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: java.io.IOException: HTTP status [403], message [org.apache.hadoop.security.token.SecretManager$InvalidToken: Unable to find master key for keyId=13 from cache. Failed to renew an unexpired token (TIMELINE_DELEGATION_TOKEN owner=bnn, renewer=mapred, realUser=executor, issueDate=1606880472758, maxDate=1607485272758, sequenceNumber=11581, masterKeyId=13) with sequenceNumber=11581]
>         at org.apache.hadoop.util.HttpExceptionUtils.validateResponse(HttpExceptionUtils.java:174)
>         at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:323)
>         at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.renewDelegationToken(DelegationTokenAuthenticator.java:239)
>         at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.renewDelegationToken(DelegationTokenAuthenticatedURL.java:426)
>         at org.apache.hadoop.yarn.client.api.impl.TimelineClientImpl$2.run(TimelineClientImpl.java:247)
>         at org.apache.hadoop.yarn.client.api.impl.TimelineClientImpl$2.run(TimelineClientImpl.java:227)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:422)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1729)
>         at org.apache.hadoop.yarn.client.api.impl.TimelineConnector$TimelineClientRetryOpForOperateDelegationToken.run(TimelineConnector.java:431)
>         at org.apache.hadoop.yarn.client.api.impl.TimelineConnector$TimelineClientConnectionRetry.retryOn(TimelineConnector.java:334)
>         at org.apache.hadoop.yarn.client.api.impl.TimelineConnector.operateDelegationToken(TimelineConnector.java:218)
>         at org.apache.hadoop.yarn.client.api.impl.TimelineClientImpl.renewDelegationToken(TimelineClientImpl.java:250)
>         at org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier$Renewer.renew(TimelineDelegationTokenIdentifier.java:81)
>         at org.apache.hadoop.security.token.Token.renew(Token.java:490)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$1.run(DelegationTokenRenewer.java:634)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$1.run(DelegationTokenRenewer.java:631)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:422)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1729)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.renewToken(DelegationTokenRenewer.java:630)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.handleAppSubmitEvent(DelegationTokenRenewer.java:494)
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org