[
https://issues.apache.org/jira/browse/YARN-10382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17174253#comment-17174253
]
Steve Loughran commented on YARN-10382:
---------------------------------------
Problem there is that the code wants to know who the YARN principal of the
resource manager is so that it can send messages to HDFS saying "renew these
delegation tokens". Your insecure YARN RM doesn't have a kerberos principal, so
secure HDFS will not issue delegation tokens to it. You could somehow cheat the
configs to name some kerberos principal (yourself?) as the RM principal -no
idea what happens then.
I would personally like YARN To collect tokens from services even when Kerberos
is disabled, though not for your use case - I want to be able to collect tokens
for the object stores. But I've avoiding going near the code as (a) I'm scared
and (b) applications like Spark do their own checks against
UserGroupInformation.isSecurityEnabled() which still wouldn't work
> Non-secure yarn access secure hdfs
> ----------------------------------
>
> Key: YARN-10382
> URL: https://issues.apache.org/jira/browse/YARN-10382
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: yarn
> Reporter: bianqi
> Priority: Minor
>
> In our production environment, yarn cannot enable kerberos due to yarn
> environment problems, but our hdfs is to enable kerberos, and now we need
> non-secure yarn to access secure hdfs.
> It is known that yarn and hdfs are both safe after security is turned on.
> I hope that after enabling hdfs security, you can use non-secure yarn to
> access secure hdfs, or use secure yarn to access non-secure hdfs.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
