[
https://issues.apache.org/jira/browse/HDFS-6667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14066631#comment-14066631
]
Jing Zhao commented on HDFS-6667:
---------------------------------
Sure. I just followed your suggestion and change the service for HA webhdfs
tokens to "ha-webhdfs:logicalURI". For HA hdfs tokens, the service name remains
to be "ha-hdfs:logicalURI".
I've tested the distcp using hdfs and webhdfs (with HA and non-HA filesystem
URI) in a secured cluster. Since we have not changed the code paths in 1) hdfs
+ non-HA, 2) hdfs + HA, and 3) webhdfs + non-HA, and webhdfs+HA did not work
before the change, I think we will not cause any regression here. But we will
keep testing all the scenarios including running jobs during a rolling upgrade.
> In HDFS HA mode, Distcp/SLive with webhdfs on secure cluster fails with
> Client cannot authenticate via:[TOKEN, KERBEROS] error
> ------------------------------------------------------------------------------------------------------------------------------
>
> Key: HDFS-6667
> URL: https://issues.apache.org/jira/browse/HDFS-6667
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Reporter: Jian He
> Assignee: Jing Zhao
> Fix For: 2.6.0
>
> Attachments: HDFS-6667.000.patch
>
>
> Opening on [~arpitgupta]'s behalf.
> We observed that, in HDFS HA mode, running Distcp/SLive with webhdfs will
> fail on YARN. In non-HA mode, it'll pass.
> The reason is in HA mode, only webhdfs delegation token is generated for the
> job, but YARN also requires the regular hdfs token to do localization,
> log-aggregation etc.
> In non-HA mode, both tokens are generated for the job.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
