[jira] [Commented] (HADOOP-12752) Improve diagnostics/use of envvar/sysprop credential propagation

Sat, 30 Jan 2016 05:09:08 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124883#comment-15124883
 ] 

Steve Loughran commented on HADOOP-12752:
-----------------------------------------

I must respectfully disagree.  {{HADOOP_TOKEN_FILE_LOCATION}} is the env var by 
which YARN propagates credentials to launched apps. YARN cannot set the -D 
value on the sysprops of a launched java app, as it doesn't know whether a java 
app is running.

It's also used by Oozie; I've been documenting what's going on for YARN apps 
here to have a set of methods to do credential setup properly without each YARN 
app getting things differently wrong. One fun thing here is in client launch, 
deciding whether or not to ask for delegation tokens for things like HDFS. It's 
generally done, that being how Dshell does it -but its precisely the wrong 
thing to do on oozie launched code, and now with hadoop.token.files propagated 
credentials. Current codepaths across YARN apps appear to look for that env var 
explicitly. We need to extend UGI to allow apps to determine whether 
credentials were supplied without knowing the details (== has credentials but 
not kinited or keytabed and with no tgt)

w.r.t {{hadoop.token.files}}, I see it is new, but also see that it appears to 
be continuing the bad habits of the existing UGI code: no documentation, no 
logging. We can do better.

> Improve diagnostics/use of envvar/sysprop credential propagation
> ----------------------------------------------------------------
>
>                 Key: HADOOP-12752
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12752
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 2.7.2
>            Reporter: Steve Loughran
>
> * document the system property {{hadoop.token.files}}. 
> * document the env var {{HADOOP_TOKEN_FILE_LOCATION}}.
> * When UGI inits tokens off that or the env var , log this fact
> * when trying to load a file referenced in the env var (a) trim it and (b) 
> check for it existing, failing with a message referring to the ENV var as 
> well as the file.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to