[
https://issues.apache.org/jira/browse/OOZIE-3035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16144101#comment-16144101
]
Robert Kanter commented on OOZIE-3035:
--------------------------------------
I think we should always get HDFS tokens; we always get a Yarn token too (it's
transparent though). The skip property's purpose was for the {{<credential>}}
section tokens, so that you can easily disable them if you play with your
workflow in a non-secure environment. In a non-secure environment, Oozie won't
get the HDFS token anyway.
> HDFS HA and log aggregation: getting HDFS delegation token from YARN renewer
> within JavaActionExecutor
> ------------------------------------------------------------------------------------------------------
>
> Key: OOZIE-3035
> URL: https://issues.apache.org/jira/browse/OOZIE-3035
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 4.3.0
> Environment: * [*Hadoop 3 alpha
> 4*|https://github.com/apache/hadoop/tree/branch-3.0.0-alpha4]
> * [*HDFS
> HA*|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithNFS.html]
> * log aggregation turned on
> Reporter: Andras Piros
> Assignee: Andras Piros
> Fix For: 5.0.0
>
> Attachments: OOZIE-3035.001.patch, OOZIE-3035.002.patch,
> OOZIE-3035.003.patch
>
>
> In a secure environment, when both HDFS HA and log aggregation are turned on,
> {{JavaActionExecutor}} is not able to call {{YarnClient#submitApplication}}
> since {{HDFS_DELEGATION_TOKEN}} is missing.
> In those cases we need to get {{HDFS_DELEGATION_TOKEN}} from YARN:
> * get server principal / YARN renewer via
> {{HadoopAccessorService#getServerPrincipal}}
> * get {{HDFS_DELEGATION_TOKEN}} via {{DFSClient#getDelegationToken}}
> * add {{HDFS_DELEGATION_TOKEN}} to {{Credentials}}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
