[
https://issues.apache.org/jira/browse/YARN-986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13909194#comment-13909194
]
Karthik Kambatla commented on YARN-986:
---------------------------------------
Made some more progress on this.
The issue is that SaslRPCClient fails to createSaslClient. That is because it
calls getServerToken (as below):
{code}
private Token<?> getServerToken(SaslAuth authType) throws IOException {
TokenInfo tokenInfo = SecurityUtil.getTokenInfo(protocol, conf);
...
TokenSelector<?> tokenSelector = null;
try {
tokenSelector = tokenInfo.value().newInstance();
} catch {...}
return tokenSelector.selectToken(
SecurityUtil.buildTokenService(serverAddr), ugi.getTokens());
}
{code}
{{tokenSelector.selectToken}} is called with service in the form of
"host:port", while the users tokens only have the one with "clusterId". So, it
doesn't find a matching token and returns null.
We can address this in multiple ways - add duplicate tokens one for each RM to
the UGI before attempting a connection, or a different implementation of
getServerToken or RMDelegationTokenSelector to accommodate the use of ClusterId
as token service.
[~vinodkv] - thoughts?
> YARN should use cluster-id as token service address
> ---------------------------------------------------
>
> Key: YARN-986
> URL: https://issues.apache.org/jira/browse/YARN-986
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Karthik Kambatla
> Priority: Blocker
> Attachments: yarn-986-prelim-0.patch
>
>
> This needs to be done to support non-ip based fail over of RM. Once the
> server sets the token service address to be this generic ClusterId/ServiceId,
> clients can translate it to appropriate final IP and then be able to select
> tokens via TokenSelectors.
> Some workarounds for other related issues were put in place at YARN-945.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
