You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Shilun Fan (Jira)" <ji...@apache.org> on 2023/02/17 07:33:00 UTC

[jira] [Comment Edited] (YARN-9708) Yarn Router Support DelegationToken

    [ https://issues.apache.org/jira/browse/YARN-9708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690197#comment-17690197 ] 

Shilun Fan edited comment on YARN-9708 at 2/17/23 7:32 AM:
-----------------------------------------------------------

[~krishan1390] Thank you very much for your question. I will add a document as soon as possible to explain this feature. When completing this pr, we refer to the design of Router of HDFS RBF and RMDelegationTokenManager. I will complete the document in 1-2 days. We have completed this feature.


was (Author: slfan1989):
[~krishan1390] Thank you very much for your question. I will add a document as soon as possible to explain this feature. When completing this pr, we refer to the design of Router of HDFS RBF and RMDelegationTokenManager. I will complete the document in 1-2 days.

> Yarn Router Support DelegationToken
> -----------------------------------
>
>                 Key: YARN-9708
>                 URL: https://issues.apache.org/jira/browse/YARN-9708
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: router
>    Affects Versions: 3.4.0
>            Reporter: Xie YiFan
>            Assignee: Shilun Fan
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: Add_getDelegationToken_and_SecureLogin_in_router.patch, RMDelegationTokenSecretManager_storeNewMasterKey.svg, RouterDelegationTokenSecretManager_storeNewMasterKey.svg
>
>
> 1.we use router as proxy to manage multiple cluster which be independent of each other in order to apply unified client. Thus, we implement our customized AMRMProxyPolicy that doesn't broadcast ResourceRequest to other cluster.
> 2.Our production environment need kerberos. But router doesn't support SecureLogin for now.
> https://issues.apache.org/jira/browse/YARN-6539 desn't work. So we improvement it.
> 3.Some framework like oozie would get Token via yarnclient#getDelegationToken which router doesn't support. Our solution is that adding homeCluster to ApplicationSubmissionContextProto & GetDelegationTokenRequestProto. Job would be submitted with specified clusterid so that router knows which cluster to submit this job. Router would get Token from one RM according to specified clusterid when client call getDelegation meanwhile apply some mechanism to save this token in memory.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org