[
https://issues.apache.org/jira/browse/YARN-8960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685618#comment-16685618
]
Wangda Tan edited comment on YARN-8960 at 11/13/18 7:50 PM:
------------------------------------------------------------
Thanks [~yuan_zac],
Some comments:
1) doLoginIfSecure, could u print login user if keytab/principal is empty?
(Assume the user has login using kinit). We should fail the job submission if
user doesn't login using kinit AND no keytab/principal specified AND security
is enabled. And suggest to use Log.info instead of debug.
2) Regarding to upload keytab, I'm a bit concerned about this behavior, instead
of doing that, should we assume keytabs will be placed under all machine's
directory? For example, if "zac" user has /security/keytabs/zac.keytab, the
remote machine should have the same keytab on the same folder. Passing around
keytab could be a high risk of the cluster.
If you think #2 is necessary, please at least make uploading keytab to an
optional parameter, and add a note to command line description (Such as
"distributing keytab to other machines is a risky operation to your
credentials. Please consider options pre-distribute your keytab by admin as an
alternative and more safety solution").
was (Author: leftnoteasy):
Thanks [~yuan_zac],
Some comments:
1) doLoginIfSecure, could u print login user if keytab/principal is empty?
(Assume the user has login using kinit). We should fail the job submission if
user doesn't login using kinit AND no keytab/principal specified AND security
is enabled. And suggest to use Log.info instead of debug.
2) Regarding to upload keytab, I'm a bit concerned about this behavior, instead
of doing that, should we assume keytabs will be placed under all machine's
directory? For example, if "zac" user has /security/keytabs/zac.keytab, the
remote machine should have the same keytab on the same folder. Passing around
keytab could be a high risk of the cluster.
> [Submarine] Can't get submarine service status using the command of "yarn app
> -status" under security environment
> -----------------------------------------------------------------------------------------------------------------
>
> Key: YARN-8960
> URL: https://issues.apache.org/jira/browse/YARN-8960
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Zac Zhou
> Assignee: Zac Zhou
> Priority: Major
> Attachments: YARN-8960.001.patch, YARN-8960.002.patch,
> YARN-8960.003.patch, YARN-8960.004.patch
>
>
> After submitting a submarine job, we tried to get service status using the
> following command:
> yarn app -status ${service_name}
> But we got the following error:
> HTTP error code : 500
>
> The stack in resourcemanager log is :
> {code}
> ERROR org.apache.hadoop.yarn.service.webapp.ApiServer: Get service failed: {}
> java.lang.reflect.UndeclaredThrowableException
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1748)
> at
> org.apache.hadoop.yarn.service.webapp.ApiServer.getServiceFromClient(ApiServer.java:800)
> at
> org.apache.hadoop.yarn.service.webapp.ApiServer.getService(ApiServer.java:186)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ...
> Caused by: org.apache.hadoop.yarn.exceptions.YarnException: No principal
> specified in the persisted service definitio
> n, fail to connect to AM.
> at
> org.apache.hadoop.yarn.service.client.ServiceClient.createAMProxy(ServiceClient.java:1500)
> at
> org.apache.hadoop.yarn.service.client.ServiceClient.getStatus(ServiceClient.java:1376)
> at
> org.apache.hadoop.yarn.service.webapp.ApiServer.lambda$getServiceFromClient$4(ApiServer.java:804)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
> ... 68 more
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
