Re: Review Request 61734: OOZIE-3035 HDFS HA and log aggregation: getting HDFS delegation token from YARN renewer within JavaActionExecutor

Wed, 30 Aug 2017 05:09:07 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61734/#review184144
-----------------------------------------------------------




core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java
Lines 996 (patched)
<https://reviews.apache.org/r/61734/#comment260202>

    OK, finally I realized what the problem is with this approach :)
    
    So, I would just go ahead and create a Credentials object in secure mode if 
it doesn't exist at this point. It's necessary, because we can't add the HDFS 
token into it right now if it's null. But there are uses cases where users use 
only shell action and don't retrieve any delegation token for it (because they 
have keytabs localized instead - it's realistic).
    
    So it's necessary to always have HDFS tokens in secure mode, regardless of 
credentialsProperties.


- Peter Bacsko


On aug. 29, 2017, 8:44 de, András Piros wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61734/
> -----------------------------------------------------------
> 
> (Updated aug. 29, 2017, 8:44 de)
> 
> 
> Review request for oozie, Peter Cseh, Peter Bacsko, and Robert Kanter.
> 
> 
> Repository: oozie-git
> 
> 
> Description
> -------
> 
> In a secure environment, when both HDFS HA and log aggregation are turned on, 
> `JavaActionExecutor` is not able to call `YarnClient#submitApplication` since 
> `HDFS_DELEGATION_TOKEN` is missing.
> 
> In those cases we need to get `HDFS_DELEGATION_TOKEN` from YARN:
> 
> * get server principal / YARN renewer via 
> `HadoopAccessorService#getServerPrincipal`
> * get `HDFS_DELEGATION_TOKEN` via `DFSClient#getDelegationToken`
> * add `HDFS_DELEGATION_TOKEN` to `Credentials`
> 
> 
> Diffs
> -----
> 
>   core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java 
> dc17950418ada9b4848ed5597702a29e7124ab38 
>   core/src/main/java/org/apache/oozie/service/HadoopAccessorService.java 
> b507c79d44aa2095caf532a5f4d19d20c1a30630 
>   
> core/src/test/java/org/apache/oozie/action/hadoop/TestJavaActionExecutor.java 
> c51c64a18c74c73aa9907027992033a9975bf4d7 
> 
> 
> Diff: https://reviews.apache.org/r/61734/diff/3/
> 
> 
> Testing
> -------
> 
> `TestJavaActionExecutor`, `TestHadoopAccessorService`
> 
> 
> Thanks,
> 
> András Piros
> 
>

Reply via email to