[
https://issues.apache.org/jira/browse/YARN-8960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16686692#comment-16686692
]
Zac Zhou commented on YARN-8960:
--------------------------------
Thanks,[~leftnoteasy]
For comment 1
{quote}1) doLoginIfSecure, could u print login user if keytab/principal is
empty? (Assume the user has login using kinit). We should fail the job
submission if user doesn't login using kinit AND no keytab/principal specified
AND security is enabled. And suggest to use Log.info instead of debug.
{quote}
LoginIfSecure is changed.
For comment 2
{quote}2) Regarding to upload keytab, I'm a bit concerned about this behavior,
instead of doing that, should we assume keytabs will be placed under all
machine's directory? For example, if "zac" user has
/security/keytabs/zac.keytab, the remote machine should have the same keytab on
the same folder. Passing around keytab could be a high risk of the cluster.
If you think #2 is necessary, please at least make uploading keytab to an
optional parameter, and add a note to command line description (Such as
"distributing keytab to other machines is a risky operation to your
credentials. Please consider options pre-distribute your keytab by admin as an
alternative and more safety solution").
{quote}
Yeah, I agree with you. Publishing keytab to the cluster seems a risk.
But I think we need to support it, as it's easier for user to submit a
submarine job. I checked spark code(Client.prepareLocalResource) for it's
--keytab
--principal parameter. Spark uploaded the user's keytab to hdfs to resolve am
delegationToken renewer issue for long-running app(AMDelegationTokenRenewer).
As the keytab is uploaded to user's home directory, we can set it's permission
to 400 to avoid others to get it. if
[YARN-8725|https://issues.apache.org/jira/browse/YARN-8725]
is done, the staging dir will be cleaned up after the job is done. I think it's
a controllable risk.
Your advice is great, keytab uploading is changed to optional and warnings is
added.
Thanks
> [Submarine] Can't get submarine service status using the command of "yarn app
> -status" under security environment
> -----------------------------------------------------------------------------------------------------------------
>
> Key: YARN-8960
> URL: https://issues.apache.org/jira/browse/YARN-8960
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Zac Zhou
> Assignee: Zac Zhou
> Priority: Major
> Attachments: YARN-8960.001.patch, YARN-8960.002.patch,
> YARN-8960.003.patch, YARN-8960.004.patch, YARN-8960.005.patch
>
>
> After submitting a submarine job, we tried to get service status using the
> following command:
> yarn app -status ${service_name}
> But we got the following error:
> HTTP error code : 500
>
> The stack in resourcemanager log is :
> {code}
> ERROR org.apache.hadoop.yarn.service.webapp.ApiServer: Get service failed: {}
> java.lang.reflect.UndeclaredThrowableException
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1748)
> at
> org.apache.hadoop.yarn.service.webapp.ApiServer.getServiceFromClient(ApiServer.java:800)
> at
> org.apache.hadoop.yarn.service.webapp.ApiServer.getService(ApiServer.java:186)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ...
> Caused by: org.apache.hadoop.yarn.exceptions.YarnException: No principal
> specified in the persisted service definitio
> n, fail to connect to AM.
> at
> org.apache.hadoop.yarn.service.client.ServiceClient.createAMProxy(ServiceClient.java:1500)
> at
> org.apache.hadoop.yarn.service.client.ServiceClient.getStatus(ServiceClient.java:1376)
> at
> org.apache.hadoop.yarn.service.webapp.ApiServer.lambda$getServiceFromClient$4(ApiServer.java:804)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
> ... 68 more
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
