[jira] [Commented] (YARN-7862) YARN native service REST endpoint needs user.name as query param

Wed, 31 Jan 2018 09:07:54 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7862?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347189#comment-16347189
 ] 

Eric Yang commented on YARN-7862:
---------------------------------

Hi [~sunilg],

YARN Native service rest api already support hadoop delegation token, and it 
takes precedence over user.name parameter.  However, Hadoop does not have a 
single login form to validate username and password to issue delegation token.  
Without Knox, user can come into the system from various entry points using web 
browser.  This is the reason that user.name parameter is used to let server 
know who the end user should be in the absence of Knox to verify end user 
credential.  User.name is a stop gap solution for not having a SSO.  For the 
POST request, use URL that looks like this:

{code}
http://rm_ip:8088/app/v1/services?user.name=foobar
{code}

If you have obtained delegation token somehow, then you can forward the cookie 
to:

{code}
http://rm_ip:8088/app/v1/services
{code}

In Kerberos enabled cluster, you can submit the request with WWW-Authenticate 
header, and Kerberos ticket, and the request will work.

> YARN native service REST endpoint needs user.name as query param
> ----------------------------------------------------------------
>
>                 Key: YARN-7862
>                 URL: https://issues.apache.org/jira/browse/YARN-7862
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn-native-services
>            Reporter: Sunil G
>            Priority: Major
>
> While accessing below yarn rest end point with POST method type,
> {code:java}
> http://rm_ip:8088/app/v1/services{code}
> below error is coming in non-secure cluster.
> {noformat}
> {
> "diagnostics": "Null user"
> }{noformat}
> When *user.name* is provided as query param with *dr.who* we can see that 
> yarn started service with proxy user, not dr.who. 
> In non-secure cluster, native service should ideally take the user from 
> remote ugi.
> in secure cluster, its better to derive user from kerberized shell.
>  
> cc/  [~jianhe] [~eyang]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to