[ https://issues.apache.org/jira/browse/YARN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Siddharth Seth updated YARN-50: ------------------------------- Attachment: YARN-50.txt Thanks for the quick reviews Daryn and Bobby. Updated patch to address the issues. Since the service address is being used - MR config isn't really required (in the MR part of the patch). bq. Based on the SASL work I'm doing, isAllowedDelegationTokenOp should be more like this: return UserGroupInformation.getCurrentUser().getRealAuthenticationMethod() != AuthenticationMethod.TOKEN. (Aside: I've actually been meaning to push this check down into the ADTSM but I'll do that on another jira) For security related checks, I think an explicit whitelist is a better option. Have included KERBEROS, KERBEROS_SSL and CERTIFICATE. Feel free to change this. bq. The yarn client should connect to the service address within the token, rather than assume all RM tokens are for the local RM. It's possible that a job might have a RM token for a different cluster. I'm not sure this is a valid use case. Get a token from one RM, submit a job to RM2 with RM1s token, which then may submit back to RM1... both RMs end up renewing the token. IAC, using the service address to remove the dependency on the configs. > Implement renewal / cancellation of Delegation Tokens > ----------------------------------------------------- > > Key: YARN-50 > URL: https://issues.apache.org/jira/browse/YARN-50 > Project: Hadoop YARN > Issue Type: Sub-task > Reporter: Siddharth Seth > Assignee: Siddharth Seth > Priority: Blocker > Attachments: YARN-50.txt, YARN-50_wip.txt > > > Currently, delegation tokens issues by the RM and History server cannot be > renewed or cancelled. This needs to be implemented. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira