[
https://issues.apache.org/jira/browse/HADOOP-12732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15113256#comment-15113256
]
Daniel Templeton commented on HADOOP-12732:
-------------------------------------------
This should happen in every YARN application that talks to HDFS, which is all
of them. MapReduce does it correctly, but I expect most of the rest do not.
When a YARN client adds a HDFS delegation token, it sets a renewer. The
canonical pattern is to read the renewer from the RM_PRINCIPAL property, which
almost always has the _HOST placeholder in it. Once the renewer has been set,
however, it doesn't get translated, and HDFS ends up rejecting the app's calls
because the host part of the renewer principal is invalid. The issue only
shows up with non-MR apps in clusters where auth_to_local is particular about
services' hosts.
Using the client's hostname is probably not the right thing. It should be the
RM's hostname instead. For an example, look at the
{{YarnClientImpl.getTimelineDelegationTokenRenewer()}} method:
{code}
String rmPrincipal = conf.get(YarnConfiguration.RM_PRINCIPAL);
String renewer = null;
if (rmPrincipal != null && rmPrincipal.length() > 0) {
String rmHost = conf.getSocketAddr(
YarnConfiguration.RM_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADDRESS,
YarnConfiguration.DEFAULT_RM_PORT).getHostName();
renewer = SecurityUtil.getServerPrincipal(rmPrincipal, rmHost);
}
{code}
As far as I can tell, this method will break in an HA environment because it
doesn't look at the RM_ID, but it does generally the right thing.
The problem is that the distributed shell does it wrong, and a lot of 3rd party
applications were built using the distributed shell as a reference. I can name
at least one, and I strongly suspect there are a lot more.
I swear there is already a JIRA that addresses exactly this issue, but I can't
find it anymore. It was talking about moving the _HOST translation to the
server side rather than in the client library, since the RM is best qualified
to know its own hostname.
> Filesystem.addDelegationToken() should automatically replace _HOST
> ------------------------------------------------------------------
>
> Key: HADOOP-12732
> URL: https://issues.apache.org/jira/browse/HADOOP-12732
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs
> Affects Versions: 2.7.1
> Reporter: Daniel Templeton
> Assignee: Daniel Templeton
> Priority: Critical
>
> It is currently the client's responsibility to call
> {{SecurityUtil.getServerPrincipal()}} to replace the _HOST placeholder in any
> principal name used for a delegation token. This is a non-optional operation
> and should not be pushed onto the client. As the
> {{SecurityUtil.getServerPrincipal()}} call is already designed to be both
> highly efficient and idempotent, I see no reason not to move the call into
> the {{FileSystem.addDelegationToken()}} call.
> As additional incentive, all client apps that followed the distributed shell
> as the canonical example failed to do the replacement because distributed
> shell fails to do the replacement. (See YARN-4629.) Rather than fixing the
> whole world, let's move the operation into the API where it belongs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
