You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Shen Yinjie (JIRA)" <ji...@apache.org> on 2019/04/25 08:33:00 UTC
[jira] [Created] (YARN-9510) Proxyuser access timeline and
getdelegationtoken failed without Timeline server restart
Shen Yinjie created YARN-9510:
---------------------------------
Summary: Proxyuser access timeline and getdelegationtoken failed without Timeline server restart
Key: YARN-9510
URL: https://issues.apache.org/jira/browse/YARN-9510
Project: Hadoop YARN
Issue Type: Improvement
Components: timelineserver
Affects Versions: 3.1.0
Reporter: Shen Yinjie
We add a proxyuser by changing "hadoop.proxyuser.xx.yy", and then execute yarn rmadmin -refreshSuperUserGroupsConfiguration but didn't restart timeline server.MR job will fail and throws :
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: http://hostname:8188/ws/v1/timeline/?op=GETDELEGATIONTOKEN&doAs=alluxio&renewer=rm%2Fhc1%40XXF&user.name=ambari-qa, status: 403, message: Forbidden
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:401)
at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:74)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:147)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:213)
seems that proxyuser info in timeline server has not been refreshed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org