[
https://issues.apache.org/jira/browse/YARN-986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karthik Kambatla updated YARN-986:
----------------------------------
Attachment: yarn-986-prelim-0.patch
Here is a very preliminary patch. The current patch changes the client in an
incompatible way. The idea is to introduce a config
yarn.client.rm-token.use-clusterid with a default of false. Users are expected
to set this to true to work against RM HA.
With this patch, I am able to address the initial issues I was running into
when submitting oozie jobs to the Standby RM. However, the Oozie launcher runs
into the following when attempting to submit the child job corresponding to the
action.
{noformat}
Failing Oozie Launcher, Main class
[org.apache.oozie.action.hadoop.MapReduceMain], main() threw exception, Failed
on local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]; Host Details : local host is:
"secure-rmha-2.ent.cloudera.com/10.20.194.212"; destination host is:
"secure-rmha-2.ent.cloudera.com":8032;
java.io.IOException: Failed on local exception: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]; Host Details : local host is:
"secure-rmha-2.ent.cloudera.com/10.20.194.212"; destination host is:
"secure-rmha-2.ent.cloudera.com":8032;
at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:764)
at org.apache.hadoop.ipc.Client.call(Client.java:1410)
at org.apache.hadoop.ipc.Client.call(Client.java:1359)
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:206)
at com.sun.proxy.$Proxy11.getNewApplication(Unknown Source)
at
org.apache.hadoop.yarn.api.impl.pb.client.ApplicationClientProtocolPBClientImpl.getNewApplication(ApplicationClientProtocolPBClientImpl.java:167)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:186)
at
org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
at com.sun.proxy.$Proxy12.getNewApplication(Unknown Source)
at
org.apache.hadoop.yarn.client.api.impl.YarnClientImpl.getNewApplication(YarnClientImpl.java:134)
Caused by: java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]
at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:674)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot
authenticate via:[TOKEN, KERBEROS]
at
org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:170)
{noformat}
> YARN should use cluster-id as token service address
> ---------------------------------------------------
>
> Key: YARN-986
> URL: https://issues.apache.org/jira/browse/YARN-986
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Karthik Kambatla
> Priority: Blocker
> Attachments: yarn-986-prelim-0.patch
>
>
> This needs to be done to support non-ip based fail over of RM. Once the
> server sets the token service address to be this generic ClusterId/ServiceId,
> clients can translate it to appropriate final IP and then be able to select
> tokens via TokenSelectors.
> Some workarounds for other related issues were put in place at YARN-945.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
