[jira] [Updated] (YARN-7425) Failed to renew delegation token when RM user's TGT is expired

Shen Yinjie (JIRA) Wed, 01 Nov 2017 02:42:14 -0700

     [ 
https://issues.apache.org/jira/browse/YARN-7425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Shen Yinjie updated YARN-7425:
------------------------------
    Description: 
we have a secure hadoop cluster with namenode federation.
submit job fails after kerberos TGT maxLifeTime expired(default 24h), client 
log shows" failed to renew token: HDFS_DELEGATION_TOKEN...".
check rm log, found rm tgt is expired but not triggers relogin(),just retry and 
fail...
(rm log see screenshot)
digging in code:
when rm tries to renewToken(),
UserGroupInformation.getLoginUser()="rm",
but UserGroupInformation.getCurrentUser()="testUser".
this causes Client.shouldAuthenticateOverKrb() returns false, thus cant trigger 
reloginFromKeytab() or reloginFromTicketCache().

  was:
we have a secure hadoop cluster with namenode federation.
submit job fails after kerberos TGT maxLifeTime expired(default 24h), client 
log shows" failed to renew token: HDFS_DELEGATION_TOKEN...".
check rm log, found rm tgt is expired but not triggers relogin(),just retry and 
fail...
(some logs see screenshots)
digging in code:
when rm tries to renewToken(),
UserGroupInformation.getLoginUser()="rm",
but UserGroupInformation.getCurrentUser()="testUser".
this causes Client.shouldAuthenticateOverKrb() returns false, thus cant trigger 
reloginFromKeytab() or reloginFromTicketCache().


> Failed to renew delegation token  when RM user's TGT is expired
> ---------------------------------------------------------------
>
>                 Key: YARN-7425
>                 URL: https://issues.apache.org/jira/browse/YARN-7425
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>    Affects Versions: 2.8.2
>            Reporter: Shen Yinjie
>            Priority: Critical
>         Attachments: rm_log.png
>
>
> we have a secure hadoop cluster with namenode federation.
> submit job fails after kerberos TGT maxLifeTime expired(default 24h), client 
> log shows" failed to renew token: HDFS_DELEGATION_TOKEN...".
> check rm log, found rm tgt is expired but not triggers relogin(),just retry 
> and fail...
> (rm log see screenshot)
> digging in code:
> when rm tries to renewToken(),
> UserGroupInformation.getLoginUser()="rm",
> but UserGroupInformation.getCurrentUser()="testUser".
> this causes Client.shouldAuthenticateOverKrb() returns false, thus cant 
> trigger reloginFromKeytab() or reloginFromTicketCache().



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (YARN-7425) Failed to renew delegation token when RM user's TGT is expired

Reply via email to