[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[
https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14238307#comment-14238307
]
Sevada Abraamyan commented on YARN-2892:
I don't see this either. However, one thing I did notice is that with the patch
we are now changing how ClientToAMToken is constructed as we are using the
short name instead of full name.
{code}
@Override
public ApplicationReport createAndGetApplicationReport(String clientUserName,
boolean allowAccess) {
if (UserGroupInformation.isSecurityEnabled()) {
// get a token so the client can communicate with the app attempt
// NOTE: token may be unavailable if the attempt is not running
TokenClientToAMTokenIdentifier attemptClientToAMToken =
this.currentAttempt.createClientToken(clientUserName);
if (attemptClientToAMToken != null) {
clientToAMToken = BuilderUtils.newClientToAMToken(
attemptClientToAMToken.getIdentifier(),
attemptClientToAMToken.getKind().toString(),
attemptClientToAMToken.getPassword(),
attemptClientToAMToken.getService().toString());
}
...
{code}
Unable to get AMRMToken in unmanaged AM when using a secure cluster
---
Key: YARN-2892
URL: https://issues.apache.org/jira/browse/YARN-2892
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Attachments: YARN-2892.patch, YARN-2892.patch, YARN-2892.patch
An AMRMToken is retrieved from the ApplicationReport by the YarnClient.
When the RM creates the ApplicationReport and sends it back to the client it
makes a simple security check whether it should include the AMRMToken in the
report (See createAndGetApplicationReport in RMAppImpl).This security check
verifies that the user who submitted the original application is the same
user who is requesting the ApplicationReport. If they are indeed the same
user then it includes the AMRMToken, otherwise it does not include it.
The problem arises from the fact that when an application is submitted, the
RM saves the short username of the user who created the application (See
submitApplication in ClientRmService). Afterwards when the ApplicationReport
is requested, the system tries to match the full username of the requester
against the previously stored short username.
In a secure cluster using Kerberos this check fails because the principle is
stripped from the username when we request a short username. So for example
the short username might be Foo whereas the full username is
f...@company.com
Note: A very similar problem has been previously reported
([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[
https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14238520#comment-14238520
]
Sevada Abraamyan commented on YARN-2892:
On second thought I think [~djp] was referring directly to the code I
referenced above. Since we'd rather not modify the public interface of RMApp,
maybe we should continue passing in the full username to
_createAndGetApplicationReport_ and prior to AMRM security check we can use
this full username to construct a short username. It seems a bit hacky but I'm
not sure how else we can avoid not breaking the public interface.
The easiest way I can see doing this is by using something like the following:
{code}
UserGroupInformation remoteUser =
UserGroupInformation.getRemoteUser(clientUserName);
String shortUsername = remoteUser.getShortUsername();
{code}
Another solution could be to do the following:
{code}
//if security is set to kerberos...
HadoopKerberosName kbName = new HadoopKerberosName(clientUserName);
String shortUsername = kbName.getShortUsername()
{code}
The first solution is a bit strange but looks more attractive to me as it
allows _RMAppImpl_ to stay agnostic to the underlying security framework. Any
suggestions?
Unable to get AMRMToken in unmanaged AM when using a secure cluster
---
Key: YARN-2892
URL: https://issues.apache.org/jira/browse/YARN-2892
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Attachments: YARN-2892.patch, YARN-2892.patch, YARN-2892.patch
An AMRMToken is retrieved from the ApplicationReport by the YarnClient.
When the RM creates the ApplicationReport and sends it back to the client it
makes a simple security check whether it should include the AMRMToken in the
report (See createAndGetApplicationReport in RMAppImpl).This security check
verifies that the user who submitted the original application is the same
user who is requesting the ApplicationReport. If they are indeed the same
user then it includes the AMRMToken, otherwise it does not include it.
The problem arises from the fact that when an application is submitted, the
RM saves the short username of the user who created the application (See
submitApplication in ClientRmService). Afterwards when the ApplicationReport
is requested, the system tries to match the full username of the requester
against the previously stored short username.
In a secure cluster using Kerberos this check fails because the principle is
stripped from the username when we request a short username. So for example
the short username might be Foo whereas the full username is
f...@company.com
Note: A very similar problem has been previously reported
([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sevada Abraamyan updated YARN-2892: --- Attachment: YARN-2892.patch Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan Assignee: Sevada Abraamyan Attachments: YARN-2892.patch, YARN-2892.patch, YARN-2892.patch An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14232179#comment-14232179 ] Sevada Abraamyan commented on YARN-2892: Thanks for catching that mistake [~ rohithsharma]. I've submitted a new patch which no longer uses sysout. Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan Assignee: Sevada Abraamyan Attachments: YARN-2892.patch, YARN-2892.patch, YARN-2892.patch An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sevada Abraamyan updated YARN-2892: --- Attachment: YARN-2892.patch Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan Assignee: Sevada Abraamyan Attachments: YARN-2892.patch, YARN-2892.patch An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[
https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228579#comment-14228579
]
Sevada Abraamyan commented on YARN-2892:
After researching Hadoop security a bit further, I believe the shared cluster
scenario I was thinking about earlier shouldn't be a problem. Administrators
define the mapping from principle to short username via the
{{hadoop.security.auth_to_local}} configuration and if two principles from
different kerberos realms mapped to the same user then it would have to be done
on purpose by the administrator. In which case the assumed behavior is that
both principles are describing the same subject and therefore the users will
have the authorization privileges. Please correct me if I'm wrong and of course
I would love to get a code review of the latest patch.
_In regards to the other mismatches between short/full username in
ClientRMService, I will be opening a different JIRA ticket so as to not dilute
the main purpose of this ticket which was to fix the missing AMRM tokens._
Unable to get AMRMToken in unmanaged AM when using a secure cluster
---
Key: YARN-2892
URL: https://issues.apache.org/jira/browse/YARN-2892
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Attachments: YARN-2892.patch, YARN-2892.patch
An AMRMToken is retrieved from the ApplicationReport by the YarnClient.
When the RM creates the ApplicationReport and sends it back to the client it
makes a simple security check whether it should include the AMRMToken in the
report (See createAndGetApplicationReport in RMAppImpl).This security check
verifies that the user who submitted the original application is the same
user who is requesting the ApplicationReport. If they are indeed the same
user then it includes the AMRMToken, otherwise it does not include it.
The problem arises from the fact that when an application is submitted, the
RM saves the short username of the user who created the application (See
submitApplication in ClientRmService). Afterwards when the ApplicationReport
is requested, the system tries to match the full username of the requester
against the previously stored short username.
In a secure cluster using Kerberos this check fails because the principle is
stripped from the username when we request a short username. So for example
the short username might be Foo whereas the full username is
f...@company.com
Note: A very similar problem has been previously reported
([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (YARN-2911) Issues with GetApplications request in secure cluster
Sevada Abraamyan created YARN-2911:
--
Summary: Issues with GetApplications request in secure cluster
Key: YARN-2911
URL: https://issues.apache.org/jira/browse/YARN-2911
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Both problems arise from the fact that the RM stores the short username of the
app submitter.
1) When the {{GetApplicationsRequest}} contains a
{{ApplicationsRequestScope.OWN}} filter, i.e. it wants to filter out all apps
not owned by the user. The RM attempts to match the full username of the
GetApplications requester against the stored short username to determine if the
requester is the owner of the app. In a secure cluster this can fail as the two
are not always equivalent.
2) The {{GetApplicationsRequest}} can be used to filter the the set of app
returned to be only those which were submitted/owned by a set of users. Once
again there is a mismatch here between short/full usernames. Since the client
specifies the set of users, theoretically they can pass in a set of short
usernames which would makes this feature work in a secure cluster. However, it
is not expected that a client will have the correct
{{hadoop.security.auth_to_local}} configuration and therefore they can not
always be expected to get the correct short usernames.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228639#comment-14228639 ] Sevada Abraamyan commented on YARN-2892: I do not believe these test failures are related to the submitted patch. Also, I'm unable to reproduce the errors on my local machine. Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan Assignee: Sevada Abraamyan Attachments: YARN-2892.patch, YARN-2892.patch An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[
https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14226939#comment-14226939
]
Sevada Abraamyan commented on YARN-2892:
In an offline discussion [~ahadr] brought up a good point by mentioning that
validating against the short name might pose a potential security hole. Does
anyone know what the original reasoning was to have the app stored using the
short name instead of the fully qualified name? If I'm understanding the
potential impact then it means in a shared cluster scenario where there are two
kerberos principles it is possible for two users to have the same username
prefix and therefore access each others tokens? In addition to
{{ClientRMService}} we are also using getShortUsername in
{{ApplicationACLsManager}} and {{QueueACLsManager}} to name a few.
Unable to get AMRMToken in unmanaged AM when using a secure cluster
---
Key: YARN-2892
URL: https://issues.apache.org/jira/browse/YARN-2892
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Attachments: YARN-2892.patch
An AMRMToken is retrieved from the ApplicationReport by the YarnClient.
When the RM creates the ApplicationReport and sends it back to the client it
makes a simple security check whether it should include the AMRMToken in the
report (See createAndGetApplicationReport in RMAppImpl).This security check
verifies that the user who submitted the original application is the same
user who is requesting the ApplicationReport. If they are indeed the same
user then it includes the AMRMToken, otherwise it does not include it.
The problem arises from the fact that when an application is submitted, the
RM saves the short username of the user who created the application (See
submitApplication in ClientRmService). Afterwards when the ApplicationReport
is requested, the system tries to match the full username of the requester
against the previously stored short username.
In a secure cluster using Kerberos this check fails because the principle is
stripped from the username when we request a short username. So for example
the short username might be Foo whereas the full username is
f...@company.com
Note: A very similar problem has been previously reported
([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sevada Abraamyan updated YARN-2892: --- Attachment: YARN-2892.patch Can someone please code review this patch? Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan Assignee: Sevada Abraamyan Attachments: YARN-2892.patch An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[
https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14225840#comment-14225840
]
Sevada Abraamyan commented on YARN-2892:
[~rohithsharma] thanks for pointing this out. It also looks like there are
other instances in ClientRMService unrelated to createAndGetApplicationReport.
For example the following code in getApplications is incorrect as well.
{code}
public GetApplicationsResponse getApplications(
...
if (scope == ApplicationsRequestScope.OWN
!callerUGI.getUserName().equals(application.getUser())) {
continue;
}
...
{code}
I'll do a more thorough sweep of ClientRMService and update the patch. Also,
while I'm working on this, maybe it might be good to revist why getQueueInfo
passes a null username to createAndGetApplicationReport. Is there any reason we
wouldn't want the owner of the application to get the AMRMTokens in the
getQueueInfo request?
Unable to get AMRMToken in unmanaged AM when using a secure cluster
---
Key: YARN-2892
URL: https://issues.apache.org/jira/browse/YARN-2892
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Attachments: YARN-2892.patch
An AMRMToken is retrieved from the ApplicationReport by the YarnClient.
When the RM creates the ApplicationReport and sends it back to the client it
makes a simple security check whether it should include the AMRMToken in the
report (See createAndGetApplicationReport in RMAppImpl).This security check
verifies that the user who submitted the original application is the same
user who is requesting the ApplicationReport. If they are indeed the same
user then it includes the AMRMToken, otherwise it does not include it.
The problem arises from the fact that when an application is submitted, the
RM saves the short username of the user who created the application (See
submitApplication in ClientRmService). Afterwards when the ApplicationReport
is requested, the system tries to match the full username of the requester
against the previously stored short username.
In a secure cluster using Kerberos this check fails because the principle is
stripped from the username when we request a short username. So for example
the short username might be Foo whereas the full username is
f...@company.com
Note: A very similar problem has been previously reported
([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14222086#comment-14222086 ] Sevada Abraamyan commented on YARN-2892: [~rohithsharma], I did intend to submit a patch. However, I couldn't find out how to assign the issue to myself. Maybe I don't have the correct privaleges? In any case, if you have not yet started on a patch, can you please assign this to me? Thanks! Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan Assignee: Rohith An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
Sevada Abraamyan created YARN-2892: -- Summary: Unable to get AMRMToken in unmanaged AM when using a secure cluster Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported in the past in [Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
[ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sevada Abraamyan updated YARN-2892: --- Description: An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) was: An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported in the past in [Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]. Unable to get AMRMToken in unmanaged AM when using a secure cluster --- Key: YARN-2892 URL: https://issues.apache.org/jira/browse/YARN-2892 Project: Hadoop YARN Issue Type: Bug Components: resourcemanager Reporter: Sevada Abraamyan An AMRMToken is retrieved from the ApplicationReport by the YarnClient. When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it. The problem arises from the fact that when an application is submitted, the RM saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be Foo whereas the full username is f...@company.com Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
