[
https://issues.apache.org/jira/browse/YARN-6602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16011373#comment-16011373
]
Robert Kanter commented on YARN-6602:
-------------------------------------
I've narrowed down the source of the issue. {{RMProxy#getProxy}} has a
{{doAs}} block to create a {{YarnRPC}} using
{{UserGroupInformation.getCurrentUser()}} to get the UGI. The normal pattern
of a Hadoop client is to do a {{doAs}} block when creating the client, and then
all subsequent calls to that client should happen with that UGI, even if it's
used outside of a {{doAs}}. {{RMProxy#getProxy}} is getting called when
submitting the application in the case where the client first hits the standby
RM so that it can try the next RM, but not in the case where it hits the active
RM first. So when that happens, {{UserGroupInformation.getCurrentUser()}}
returns the oozie user instead of the impersonated user because submitting the
application is done outside of a {{doAs}} block.
> Impersonation does not work if standby RM is contacted first
> ------------------------------------------------------------
>
> Key: YARN-6602
> URL: https://issues.apache.org/jira/browse/YARN-6602
> Project: Hadoop YARN
> Issue Type: Bug
> Components: client
> Affects Versions: 3.0.0-alpha3
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
>
> When RM HA is enabled, impersonation does not work correctly if the Yarn
> Client connects to the standby RM first. When this happens, the
> impersonation is "lost" and the client does things on behalf of the
> impersonator user. We saw this with the OOZIE-1770 Oozie on Yarn feature.
> I need to investigate this some more, but it appears to be related to
> delegation tokens. When this issue occurs, the tokens have the owner as
> "oozie" instead of the actual user. On a hunch, we found a workaround that
> explicitly adding a correct RM HA delegation token fixes the problem:
> {code:java}
> org.apache.hadoop.yarn.api.records.Token token =
> yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf));
> org.apache.hadoop.security.token.Token token2 = new
> org.apache.hadoop.security.token.Token(token.getIdentifier().array(),
> token.getPassword().array(), new Text(token.getKind()), new
> Text(token.getService()));
> UserGroupInformation.getCurrentUser().addToken(token2);
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
