[ https://issues.apache.org/jira/browse/TEZ-4205?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eugene Chung updated TEZ-4205: ------------------------------ Attachment: TEZ-4205.0.9.2.patch > Support RM delegation token > --------------------------- > > Key: TEZ-4205 > URL: https://issues.apache.org/jira/browse/TEZ-4205 > Project: Apache Tez > Issue Type: Improvement > Reporter: Eugene Chung > Priority: Major > Attachments: TEZ-4205-0.9.2.patch, TEZ-4205.01.patch > > > I have a requirement to get some information from YARN Resource Manager like > [NodeReports|#getNodeReports-org.apache.hadoop.yarn.api.records.NodeState...-]]. > But on the kerberized cluster, I can't do it because of kerberos > authentication failure. > {code:java} > 2020-05-26 14:29:03,044 [ERROR] [InputInitializer {Map 1} #0] > |mapreduce.MyInputFormat|: getNodeReports error > java.io.IOException: DestHost:destPort my-rm-address:9050 , > LocalHost:localPort my-node-address:0. Failed on local exception: > java.io.IOException: org.apache.hadoop.security.AccessControlException: > Client cannot authenticate via:[TOKEN, KERBEROS] > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at org.apache.hadoop.net.NetUtils.wrapWithMessage(NetUtils.java:831) > at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:806) > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1495) > at org.apache.hadoop.ipc.Client.call(Client.java:1437) > at org.apache.hadoop.ipc.Client.call(Client.java:1347) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:228) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy54.getClusterNodes(Unknown Source) > at > org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getClusterNodes(ApplicationClientProtocolPBClientImpl.java:319) > at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:422) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:165) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:157) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:359) > at com.sun.proxy.$Proxy55.getClusterNodes(Unknown Source) > at > org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getNodeReports(YarnClientImpl.java:614) > ... > at com.naver.mapreduce.MyInputFormat.getSplits(MyInputFormat.java:537) > ... > at > org.apache.hadoop.hive.ql.io.HiveInputFormat.addSplitsForGroup(HiveInputFormat.java:512) > at > org.apache.hadoop.hive.ql.io.HiveInputFormat.getSplits(HiveInputFormat.java:781) > at > org.apache.hadoop.hive.ql.exec.tez.HiveSplitGenerator.initialize(HiveSplitGenerator.java:243) > at > org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:278) > at > org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable$1.run(RootInputInitializerManager.java:269) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682) > at > org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:269) > at > org.apache.tez.dag.app.dag.RootInputInitializerManager$InputInitializerCallable.call(RootInputInitializerManager.java:253) > at > com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:108) > at > com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:41) > at > com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:77) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: > org.apache.hadoop.security.AccessControlException: Client cannot authenticate > via:[TOKEN, KERBEROS] > at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:755) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682) > at > org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:718) > at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:811) > at org.apache.hadoop.ipc.Client$Connection.access$3500(Client.java:409) > at org.apache.hadoop.ipc.Client.getConnection(Client.java:1552) > at org.apache.hadoop.ipc.Client.call(Client.java:1383) > ... 35 more > Caused by: org.apache.hadoop.security.AccessControlException: Client cannot > authenticate via:[TOKEN, KERBEROS] > at > org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:173) > at > org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:390) > at > org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:613) > at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:409) > at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:798) > at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:794) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1682) > at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:794) > ... 38 more{code} > > So I implemented the feature that generates RM delegation token at Tez client > side like https://issues.apache.org/jira/browse/TEZ-4032. > I borrowed the main code fragment from here, slider > [https://github.com/apache/incubator-retired-slider/blob/1d4f519d763210f46e327338be72efa99e65cb5d/slider-core/src/main/java/org/apache/slider/core/launch/CredentialUtils.java#L257-L269] > which considers RM single/HA case using RM delegation token service. -- This message was sent by Atlassian Jira (v8.3.4#803005)