[
https://issues.apache.org/jira/browse/YARN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siddharth Seth updated YARN-50:
-------------------------------
Attachment: YARN-50.txt
Thanks for the quick reviews Daryn and Bobby. Updated patch to address the
issues. Since the service address is being used - MR config isn't really
required (in the MR part of the patch).
bq. Based on the SASL work I'm doing, isAllowedDelegationTokenOp should be more
like this: return
UserGroupInformation.getCurrentUser().getRealAuthenticationMethod() !=
AuthenticationMethod.TOKEN. (Aside: I've actually been meaning to push this
check down into the ADTSM but I'll do that on another jira)
For security related checks, I think an explicit whitelist is a better option.
Have included KERBEROS, KERBEROS_SSL and CERTIFICATE. Feel free to change this.
bq. The yarn client should connect to the service address within the token,
rather than assume all RM tokens are for the local RM. It's possible that a job
might have a RM token for a different cluster.
I'm not sure this is a valid use case. Get a token from one RM, submit a job to
RM2 with RM1s token, which then may submit back to RM1... both RMs end up
renewing the token. IAC, using the service address to remove the dependency on
the configs.
> Implement renewal / cancellation of Delegation Tokens
> -----------------------------------------------------
>
> Key: YARN-50
> URL: https://issues.apache.org/jira/browse/YARN-50
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Siddharth Seth
> Assignee: Siddharth Seth
> Priority: Blocker
> Attachments: YARN-50.txt, YARN-50_wip.txt
>
>
> Currently, delegation tokens issues by the RM and History server cannot be
> renewed or cancelled. This needs to be implemented.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
