You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Shen Yinjie (JIRA)" <ji...@apache.org> on 2019/04/25 08:33:00 UTC

[jira] [Created] (YARN-9510) Proxyuser access timeline and getdelegationtoken failed without Timeline server restart

Shen Yinjie created YARN-9510:
---------------------------------

             Summary: Proxyuser access timeline and getdelegationtoken failed without Timeline server restart
                 Key: YARN-9510
                 URL: https://issues.apache.org/jira/browse/YARN-9510
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: timelineserver
    Affects Versions: 3.1.0
            Reporter: Shen Yinjie


We add a proxyuser by changing "hadoop.proxyuser.xx.yy", and then execute yarn rmadmin -refreshSuperUserGroupsConfiguration but didn't  restart timeline server.MR job will fail and throws :
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: http://hostname:8188/ws/v1/timeline/?op=GETDELEGATIONTOKEN&doAs=alluxio&renewer=rm%2Fhc1%40XXF&user.name=ambari-qa, status: 403, message: Forbidden
	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:401)
	at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:74)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:147)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:213)

seems that proxyuser info in timeline server has not been refreshed.




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org