[
https://issues.apache.org/jira/browse/YARN-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Varun Vasudev updated YARN-2232:
--------------------------------
Description:
The ClientRMSerivce doesn't allow delegation token owners to cancel their own
tokens. The root cause is this piece of code from the cancelDelegationToken
function -
{noformat}
String user = getRenewerForToken(token);
...
private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token)
throws IOException {
UserGroupInformation user = UserGroupInformation.getCurrentUser();
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
// we can always renew our own tokens
return loginUser.getUserName().equals(user.getUserName())
? token.decodeIdentifier().getRenewer().toString()
: user.getShortUserName();
}
{noformat}
It ends up passing the user short name to the cancelToken function whereas
AbstractDelegationTokenSecretManager::cancelToken expects the full user name.
This bug occurs in secure mode and is not an issue with simple auth.
was:
The ClientRMSerivce doesn't allow delegation token owners to cancel their own
tokens. The root cause is this piece of code from the cancelDelegationToken
function -
{noformat}
String user = getRenewerForToken(token);
...
private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token)
throws IOException {
UserGroupInformation user = UserGroupInformation.getCurrentUser();
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
// we can always renew our own tokens
return loginUser.getUserName().equals(user.getUserName())
? token.decodeIdentifier().getRenewer().toString()
: user.getShortUserName();
}
{noformat}
It ends up passing the user short name to the cancelToken function whereas
AbstractDelegationTokenSecretManager::cancelToken expects the full user name.
> ClientRMService doesn't allow delegation token owner to cancel their own token
> ------------------------------------------------------------------------------
>
> Key: YARN-2232
> URL: https://issues.apache.org/jira/browse/YARN-2232
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Varun Vasudev
> Assignee: Varun Vasudev
> Attachments: apache-yarn-2232.0.patch
>
>
> The ClientRMSerivce doesn't allow delegation token owners to cancel their own
> tokens. The root cause is this piece of code from the cancelDelegationToken
> function -
> {noformat}
> String user = getRenewerForToken(token);
> ...
> private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token)
> throws IOException {
> UserGroupInformation user = UserGroupInformation.getCurrentUser();
> UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
> // we can always renew our own tokens
> return loginUser.getUserName().equals(user.getUserName())
> ? token.decodeIdentifier().getRenewer().toString()
> : user.getShortUserName();
> }
> {noformat}
> It ends up passing the user short name to the cancelToken function whereas
> AbstractDelegationTokenSecretManager::cancelToken expects the full user name.
> This bug occurs in secure mode and is not an issue with simple auth.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
