[
https://issues.apache.org/jira/browse/YARN-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275442#comment-16275442
]
Jian He edited comment on YARN-6669 at 12/2/17 6:36 AM:
--------------------------------------------------------
Thanks Eric for help debugging. You are right, it is because the
[email protected] got translated to spark instead of spark-demo by the
hadoop auth_to_local config. Therefore, spark user got set in the znode ACL,
instead of spark-demo. And on read, zookeeper still uses spark-demo (the first
section of principal) rather than the translated spark user for acl
validations,That caused it to fail.
And you were alsoright, I should just take the first section of the principal
(NOT the translated short user name) for setting the znode acls. Because
zookeeper is only making use the first section of the principal rather than
(the translated short user name) by default- unless the same auth_to_local is
set in krb5.conf as hadoop.security.auth-to-local
For simplicity and less effort for users to struggle the configs, the behavior
of the current patch is: for [email protected] mapped to spark user, both
spark-demo (done by this patch) and spark (earlier done by YARN-6332) will be
added in the znode acls. fyi [~billie.rinaldi]
was (Author: jianhe):
Thanks Eric for help debugging. You are right, it is because the
[email protected] got translated to spark instead of spark-demo by the
auth_to_local config. Therefore, spark user got set in the znode ACL, instead
of spark-demo. That caused it to fail.
And you were alsoright, I should just take the first section of the principal
(NOT the translated short user name) for setting the znode acls. Because
zookeeper is only making use the first section of the principal rather than
(the translated short user name) by default- unless the same auth_to_local is
set in krb5.conf as hadoop.security.auth-to-local
For simplicity and less effort for users to struggle the configs, the behavior
of the current patch is: for [email protected] mapped to spark user, both
spark-demo (done by this patch) and spark (earlier done by YARN-6332) will be
added in the znode acls. fyi [~billie.rinaldi]
> Support security for YARN service framework
> -------------------------------------------
>
> Key: YARN-6669
> URL: https://issues.apache.org/jira/browse/YARN-6669
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Jian He
> Assignee: Jian He
> Attachments: YARN-6669.01.patch, YARN-6669.02.patch,
> YARN-6669.03.patch, YARN-6669.04.patch, YARN-6669.05.patch,
> YARN-6669.06.patch, YARN-6669.07.patch, YARN-6669.08.patch,
> YARN-6669.09.patch, YARN-6669.10.patch, YARN-6669.11.patch,
> YARN-6669.yarn-native-services.01.patch,
> YARN-6669.yarn-native-services.03.patch,
> YARN-6669.yarn-native-services.04.patch,
> YARN-6669.yarn-native-services.05.patch
>
>
> Changes include:
> - Make registry client to programmatically generate the jaas conf for secure
> access ZK quorum
> - Create a KerberosPrincipal resource object in REST API for user to supply
> keberos keytab and principal
> - User has two ways to configure:
> -- If keytab starts with "hdfs://", the keytab will be localized by YARN
> -- If keytab starts with "file://", it is assumed that the keytab are
> available on the localhost.
> - AM will use the keytab to log in
> - ServiceClient is changed to ask hdfs delegation token when submitting the
> service
> - AM code will use the tokens when launching containers
> - Support kerberized communication between client and AM
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
