[jira] [Commented] (OOZIE-2909) LauncherAM: rewrite UGI calls

["Peter Bacsko (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/OOZIE-2909?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16152381#comment-16152381 ] 

Peter Bacsko commented on OOZIE-2909:
-------------------------------------

Some notes:

1. {{getLoginUser()}} cannot be used - it only works if the user in question has Kerberos TGTs on all machines (or on the machine where the launcher can possibly run)
2. Need extra delegation token: {{RM_DELEGATION_TOKEN}}, see #3
3. The default token ({{RM_AM_DELEGATION_TOKEN}}) injected by YARN is not enough to invoke methods on the RM. It's only enough for registering the AM and sending heartbeats.

> LauncherAM: rewrite UGI calls
> -----------------------------
>
>                 Key: OOZIE-2909
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2909
>             Project: Oozie
>          Issue Type: Sub-task
>            Reporter: Peter Bacsko
>            Assignee: Peter Cseh
>         Attachments: OOZIE-2909-001.patch
>
>
> There are two problems in LauncherAM:
> 1) In a kerberized cluster, we have to use {{UGI.getLoginUser()}} even though a call to {{createRemoteUser()}} should be enough, just like in {{MRAppMaster.java}}. Reference code:
> https://github.com/apache/hadoop/blob/3ed3062fe3979ff55a411b730a8eee2b2c96d6b3/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/MRAppMaster.java#L1718-L1726
> 2) It's enough if we wrap the whole LauncherAM logic in a single {{doAs()}} call. No need for multiple {{doAs()}}, just makes the whole thing more complicated.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)