[ https://issues.apache.org/jira/browse/OOZIE-3035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16144101#comment-16144101 ]
Robert Kanter commented on OOZIE-3035: -------------------------------------- I think we should always get HDFS tokens; we always get a Yarn token too (it's transparent though). The skip property's purpose was for the {{<credential>}} section tokens, so that you can easily disable them if you play with your workflow in a non-secure environment. In a non-secure environment, Oozie won't get the HDFS token anyway. > HDFS HA and log aggregation: getting HDFS delegation token from YARN renewer > within JavaActionExecutor > ------------------------------------------------------------------------------------------------------ > > Key: OOZIE-3035 > URL: https://issues.apache.org/jira/browse/OOZIE-3035 > Project: Oozie > Issue Type: Bug > Affects Versions: 4.3.0 > Environment: * [*Hadoop 3 alpha > 4*|https://github.com/apache/hadoop/tree/branch-3.0.0-alpha4] > * [*HDFS > HA*|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithNFS.html] > * log aggregation turned on > Reporter: Andras Piros > Assignee: Andras Piros > Fix For: 5.0.0 > > Attachments: OOZIE-3035.001.patch, OOZIE-3035.002.patch, > OOZIE-3035.003.patch > > > In a secure environment, when both HDFS HA and log aggregation are turned on, > {{JavaActionExecutor}} is not able to call {{YarnClient#submitApplication}} > since {{HDFS_DELEGATION_TOKEN}} is missing. > In those cases we need to get {{HDFS_DELEGATION_TOKEN}} from YARN: > * get server principal / YARN renewer via > {{HadoopAccessorService#getServerPrincipal}} > * get {{HDFS_DELEGATION_TOKEN}} via {{DFSClient#getDelegationToken}} > * add {{HDFS_DELEGATION_TOKEN}} to {{Credentials}} -- This message was sent by Atlassian JIRA (v6.4.14#64029)