You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by GitBox <gi...@apache.org> on 2022/04/19 10:20:32 UTC

[GitHub] [hadoop] steveloughran commented on a diff in pull request #4198: YARN-11112 Avoid renewing delegation token when app is first submitte…

steveloughran commented on code in PR #4198:
URL: https://github.com/apache/hadoop/pull/4198#discussion_r852861057


##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java:
##########
@@ -46,6 +46,7 @@
 import java.util.concurrent.locks.ReadWriteLock;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
 
+import org.apache.hadoop.security.token.TokenIdentifier;

Review Comment:
   nit: should go in to the other org.apache. imports



##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java:
##########
@@ -522,10 +523,23 @@ private void handleAppSubmitEvent(AbstractDelegationTokenRenewerAppEvent evt)
           }  else {
             tokenConf = getConfig();
           }
-          dttr = new DelegationTokenToRenew(Arrays.asList(applicationId), token,
-              tokenConf, now, shouldCancelAtEnd, evt.getUser());
+          // decode identify to get maxDate.
+          TokenIdentifier tokenIdentifier = token.decodeIdentifier();
+          long expirationDate = now;
+          if (tokenIdentifier instanceof AbstractDelegationTokenIdentifier) {
+            // cast to abstract
+            AbstractDelegationTokenIdentifier tmpIdentifier =
+                    (AbstractDelegationTokenIdentifier) tokenIdentifier;
+            expirationDate = tmpIdentifier.getMaxDate();
+          }
+          dttr = new DelegationTokenToRenew(Collections.singletonList(applicationId), token,
+              tokenConf, expirationDate, shouldCancelAtEnd, evt.getUser());
+
           try {
-            renewToken(dttr);
+            // if expire date is not greater than now, renew token.
+            if (expirationDate <= now) {

Review Comment:
   that's going to break if the clocks are out of sync; tokens also need to be renewed if they are going to expire soon



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org