[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196020#comment-14196020 ] Hudson commented on YARN-2798: -- SUCCESS: Integrated in Hadoop-Yarn-trunk #733 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/733/]) YARN-2798. Fixed YarnClient to populate the renewer correctly for Timeline delegation tokens. Contributed by Zhijie Shen. (vinodkv: rev 71fbb474f531f60c5d908cf724f18f90dfd5fa9f) * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java * hadoop-yarn-project/CHANGES.txt * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Fix For: 2.6.0 Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196201#comment-14196201 ] Hudson commented on YARN-2798: -- FAILURE: Integrated in Hadoop-Mapreduce-trunk #1947 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1947/]) YARN-2798. Fixed YarnClient to populate the renewer correctly for Timeline delegation tokens. Contributed by Zhijie Shen. (vinodkv: rev 71fbb474f531f60c5d908cf724f18f90dfd5fa9f) * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java * hadoop-yarn-project/CHANGES.txt YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Fix For: 2.6.0 Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194945#comment-14194945 ] Jian He commented on YARN-2798: --- Can you also check if it works for RM HA where two RMs sit on different host? I checked, it should work. as long as two RMs use the same mapping rule. YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194982#comment-14194982 ] Zhijie Shen commented on YARN-2798: --- I don't have a quick setup for RM HA and secure cluster, but the mapping rule is applied every where in this cluster, I think it should work fine. YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195038#comment-14195038 ] Vinod Kumar Vavilapalli commented on YARN-2798: --- Looks good now, +1. Checking this in. YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195062#comment-14195062 ] Hudson commented on YARN-2798: -- FAILURE: Integrated in Hadoop-trunk-Commit #6426 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/6426/]) YARN-2798. Fixed YarnClient to populate the renewer correctly for Timeline delegation tokens. Contributed by Zhijie Shen. (vinodkv: rev 71fbb474f531f60c5d908cf724f18f90dfd5fa9f) * hadoop-yarn-project/CHANGES.txt * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14193993#comment-14193993 ] Zhijie Shen commented on YARN-2798: --- Report the issue on behalf of [~arpitgupta] YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[
https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194115#comment-14194115
]
Hadoop QA commented on YARN-2798:
-
{color:green}+1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12678834/YARN-2798.1.patch
against trunk revision 5c0381c.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 2 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-YARN-Build/5688//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/5688//console
This message is automatically generated.
YarnClient doesn't need to translate Kerberos name of timeline DT renewer
-
Key: YARN-2798
URL: https://issues.apache.org/jira/browse/YARN-2798
Project: Hadoop YARN
Issue Type: Bug
Components: timelineserver
Reporter: Arpit Gupta
Assignee: Zhijie Shen
Priority: Blocker
Attachments: YARN-2798.1.patch
Now YarnClient will automatically get a timeline DT when submitting an app in
a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get
the RM daemon operating system user. However, the RM principal and
auth_to_local may not be properly presented to the client, and the client
cannot translate the principal to the daemon user properly. On the other
hand, AbstractDelegationTokenIdentifier will do this translation when create
the token. However, since the client has already translated the full
principal into a short user name (which may not be correct), the server can
no longer apply the translation any more, where RM principal and
auth_to_local are always correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194183#comment-14194183 ] Vinod Kumar Vavilapalli commented on YARN-2798: --- Looked at the patch. I get to say [I told you so|https://issues.apache.org/jira/browse/YARN-2770?focusedCommentId=14190998page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14190998] :) I don't understand why you are using timelineHost to resolve the renewer to be the ResourceManager. YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Attachments: YARN-2798.1.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[
https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194222#comment-14194222
]
Hadoop QA commented on YARN-2798:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12678856/YARN-2798.2.patch
against trunk revision 27715ec.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 2 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 core tests{color}. The patch failed these unit tests in
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common:
org.apache.hadoop.yarn.client.TestResourceTrackerOnHA
org.apache.hadoop.yarn.client.TestApplicationClientProtocolOnHA
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-YARN-Build/5694//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/5694//console
This message is automatically generated.
YarnClient doesn't need to translate Kerberos name of timeline DT renewer
-
Key: YARN-2798
URL: https://issues.apache.org/jira/browse/YARN-2798
Project: Hadoop YARN
Issue Type: Bug
Components: timelineserver
Reporter: Arpit Gupta
Assignee: Zhijie Shen
Priority: Blocker
Attachments: YARN-2798.1.patch, YARN-2798.2.patch
Now YarnClient will automatically get a timeline DT when submitting an app in
a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get
the RM daemon operating system user. However, the RM principal and
auth_to_local may not be properly presented to the client, and the client
cannot translate the principal to the daemon user properly. On the other
hand, AbstractDelegationTokenIdentifier will do this translation when create
the token. However, since the client has already translated the full
principal into a short user name (which may not be correct), the server can
no longer apply the translation any more, where RM principal and
auth_to_local are always correct.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194225#comment-14194225 ] Zhijie Shen commented on YARN-2798: --- Test failures are not related. YarnClient doesn't need to translate Kerberos name of timeline DT renewer - Key: YARN-2798 URL: https://issues.apache.org/jira/browse/YARN-2798 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Arpit Gupta Assignee: Zhijie Shen Priority: Blocker Attachments: YARN-2798.1.patch, YARN-2798.2.patch Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
