[ https://issues.apache.org/jira/browse/YARN-10339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17152548#comment-17152548 ]
Tarun Parimi edited comment on YARN-10339 at 7/7/20, 8:17 AM: -------------------------------------------------------------- Thanks [~prabhujoseph] . When atsv1 is enabled, delegation tokens are used even when auth is simple. I made changes in this patch, to add Timeline Delegation Token only when auth is kerberos. And fixed unit test failures and checkstyle. was (Author: tarunparimi): Thanks [~prabhujoseph] . When atsv1 is enabled, delegation tokens are used even when auth is simple. I made changes in this patch, to add Timeline Delegation Token only when auth is simple. And fixed unit test failures and checkstyle. > Timeline Client in Nodemanager gets 403 errors when simple auth is used in > kerberos environments > ------------------------------------------------------------------------------------------------ > > Key: YARN-10339 > URL: https://issues.apache.org/jira/browse/YARN-10339 > Project: Hadoop YARN > Issue Type: Bug > Components: timelineclient > Affects Versions: 3.1.0 > Reporter: Tarun Parimi > Assignee: Tarun Parimi > Priority: Major > Attachments: YARN-10339.001.patch, YARN-10339.002.patch > > > We get below errors in NodeManager logs whenever we set > yarn.timeline-service.http-authentication.type=simple in a cluster which has > kerberos enabled. There are use cases where simple auth is used only in > timeline server for convenience although kerberos is enabled. > {code:java} > 2020-05-20 20:06:30,181 ERROR impl.TimelineV2ClientImpl > (TimelineV2ClientImpl.java:putObjects(321)) - Response from the timeline > server is not successful, HTTP error code: 403, Server response: > {"exception":"ForbiddenException","message":"java.lang.Exception: The owner > of the posted timeline entities is not > set","javaClassName":"org.apache.hadoop.yarn.webapp.ForbiddenException"} > {code} > This seems to affect the NM timeline publisher which uses > TimelineV2ClientImpl. Doing a simple auth directly to timeline service via > curl works fine. So this issue is in the authenticator configuration in > timeline client. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org