[ https://issues.apache.org/jira/browse/YARN-10382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17174253#comment-17174253 ]
Steve Loughran commented on YARN-10382: --------------------------------------- Problem there is that the code wants to know who the YARN principal of the resource manager is so that it can send messages to HDFS saying "renew these delegation tokens". Your insecure YARN RM doesn't have a kerberos principal, so secure HDFS will not issue delegation tokens to it. You could somehow cheat the configs to name some kerberos principal (yourself?) as the RM principal -no idea what happens then. I would personally like YARN To collect tokens from services even when Kerberos is disabled, though not for your use case - I want to be able to collect tokens for the object stores. But I've avoiding going near the code as (a) I'm scared and (b) applications like Spark do their own checks against UserGroupInformation.isSecurityEnabled() which still wouldn't work > Non-secure yarn access secure hdfs > ---------------------------------- > > Key: YARN-10382 > URL: https://issues.apache.org/jira/browse/YARN-10382 > Project: Hadoop YARN > Issue Type: New Feature > Components: yarn > Reporter: bianqi > Priority: Minor > > In our production environment, yarn cannot enable kerberos due to yarn > environment problems, but our hdfs is to enable kerberos, and now we need > non-secure yarn to access secure hdfs. > It is known that yarn and hdfs are both safe after security is turned on. > I hope that after enabling hdfs security, you can use non-secure yarn to > access secure hdfs, or use secure yarn to access non-secure hdfs. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org