You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2016/06/09 06:32:20 UTC

[jira] [Created] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token

Xiao Chen created HADOOP-13251:
----------------------------------

             Summary: DelegationTokenAuthenticationHandler should detect actual renewer when renew token
                 Key: HADOOP-13251
                 URL: https://issues.apache.org/jira/browse/HADOOP-13251
             Project: Hadoop Common
          Issue Type: Bug
          Components: kms
    Affects Versions: 2.8.0
            Reporter: Xiao Chen
            Assignee: Xiao Chen


Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation.
In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org