[jira] [Commented] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token

Thu, 09 Jun 2016 00:11:56 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15322062#comment-15322062
 ] 

Xiao Chen commented on HADOOP-13251:
------------------------------------

In the described case, when yarn sends the renew token request, currently 
there's no way for KMS to figure out it was yarn who sent it - it creates the 
ugi from the delegation token. 
([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticationHandler.java#L341-L345])
This is in comparison with other renewal feature. For example, hdfs does this 
by getting the remote user from IPC. 
([code|https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java#L5213]).

Ping [~rkanter] in case anything I said about yarn/dt is not right.

So the solution here seems to be providing a way for KMS server to figure out 
who the actual renewer is. Patch 1 expresses the idea.
Cancel works currently since cancel can be done by either a canceler or owner. 
But IMHO in the yarn case it really should be yarn to cancel the token too.

> DelegationTokenAuthenticationHandler should detect actual renewer when renew 
> token
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13251
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13251
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>
> Turns out KMS delegation token renewal feature (HADOOP-13155) does not work 
> well with client side impersonation.
> In a MR example, an end user (UGI:user) gets all kinds of DTs (with 
> renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then 
> renews these DTs as long as the MR jobs are running. But currently, the token 
> is used at the kms server side to decide the renewer, in which case is always 
> the token's owner. This ends up rejecting the renew request due to renewer 
> mismatch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to