You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2017/05/17 21:49:04 UTC

[jira] [Updated] (YARN-6602) Impersonation does not work if standby RM is contacted first

     [ https://issues.apache.org/jira/browse/YARN-6602?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Kanter updated YARN-6602:
--------------------------------
    Attachment: YARN-6602.001.patch

The 001 patch:
- Fixes the problem by making {{RMProxy}} ({{ClientRMProxy}} and {{ServerRMProxy}}) no longer singleton instances so we can store the current UGI when they're created, and then use it when creating the RPC in {{RMProxy#getProxy}}
- Removes a deprecated method from {{RMProxy}} (deprecated in Hadoop 2.3.0)
- Adds a test that verifies that the proxy user (impersonation) works correctly

I've also verified that Oozie on Yarn and the Hadoop CLI are able to submit jobs correctly on both a secure and non-secure cluster.

> Impersonation does not work if standby RM is contacted first
> ------------------------------------------------------------
>
>                 Key: YARN-6602
>                 URL: https://issues.apache.org/jira/browse/YARN-6602
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: client
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>         Attachments: YARN-6602.001.patch
>
>
> When RM HA is enabled, impersonation does not work correctly if the Yarn Client connects to the standby RM first.  When this happens, the impersonation is "lost" and the client does things on behalf of the impersonator user.  We saw this with the OOZIE-1770 Oozie on Yarn feature.
> I need to investigate this some more, but it appears to be related to delegation tokens.  When this issue occurs, the tokens have the owner as "oozie" instead of the actual user.  On a hunch, we found a workaround that explicitly adding a correct RM HA delegation token fixes the problem:
> {code:java}
> org.apache.hadoop.yarn.api.records.Token token = yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf));
> org.apache.hadoop.security.token.Token token2 = new org.apache.hadoop.security.token.Token(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
> UserGroupInformation.getCurrentUser().addToken(token2);
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org