Varun Vasudev updated YARN-2233:

    Attachment: apache-yarn-2233.1.patch


bq. It should be noted that when cancelling a token, the token to be cancelled 
is specified by setting a header.

Any reason for specifying the token in head? If there's something 
non-intuitive, maybe we should have some in-code comments for other developers?

I've added comments to the code explaining why this is. Jetty doesn't allow 
request bodies for DELETE methods.

2. RPC get delegation token API doesn't have these fields, but it seems to be 
nice have. We may want to file a Jira.
+    long currentExpiration = ident.getIssueDate() + tokenRenewInterval;
+    long maxValidity = ident.getMaxDate();

Fixed this. I've left the fields out for now to match the RPC response. I'll 
file tickets to add the information to both interfaces.

3. Is it possible to reuse KerberosTestUtils in hadoop-auth?

I missed this. hadoop-auth doesn't export test jars for us to use. I've changed 
the pom.xml to start generating test-jars for hadoop-auth and used 
KerberosTestUtils from there.

4. Is this supposed to test invalid request body? It doesn't look like the 
invalid body construction in the later tests.
+        response =
+            resource().path("ws").path("v1").path("cluster")
+              .path("delegation-token").accept(contentType)
+              .entity(dtoken, mediaType).post(ClientResponse.class);
+        assertEquals(Status.BAD_REQUEST, response.getClientResponseStatus());

This is actually a test with the renewer missing from the request body, hence 

1. No need of "== ture".

+    if (usePrincipal == true) {

+    if (KerberosAuthenticationHandler.TYPE.equals(authType) == false) {


2. If I remember it correctly, callerUGI.doAs will throw 
UndeclaredThrowableException, which wraps the real raised exception. However, 
UndeclaredThrowableException is an RE, this code cannot capture it.
+    try {
+      resp =
+          callerUGI
+            .doAs(new PrivilegedExceptionAction<GetDelegationTokenResponse>() {
+              @Override
+              public GetDelegationTokenResponse run() throws IOException,
+                  YarnException {
+                GetDelegationTokenRequest createReq =
+                    GetDelegationTokenRequest.newInstance(renewer);
+                return rm.getClientRMService().getDelegationToken(createReq);
+              }
+            });
+    } catch (Exception e) {
+      LOG.info("Create delegation token request failed", e);
+      throw e;
+    }

I'm unsure about this. RE is a sub-class of Exception. Why won't this code work?

3. Cannot return respToken simply? The framework should generate "OK" status 
automatically, right?
+    return Response.status(Status.OK).entity(respToken).build();

There are a few cases where we need to send a FORBIDDEN response back and the 
GenericExceptionHandler doesn't return FORBIDDEN responses.

4. You can call tk.decodeIdentifier directly.
+    RMDelegationTokenIdentifier ident = new RMDelegationTokenIdentifier();
+    ByteArrayInputStream buf = new ByteArrayInputStream(tk.getIdentifier());
+    DataInputStream in = new DataInputStream(buf);
+    ident.readFields(in);

Fixed. Thanks for this, cleaned up bunch of boilerplate code.

> Implement web services to create, renew and cancel delegation tokens
> --------------------------------------------------------------------
>                 Key: YARN-2233
>                 URL: https://issues.apache.org/jira/browse/YARN-2233
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: resourcemanager
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Blocker
>         Attachments: apache-yarn-2233.0.patch, apache-yarn-2233.1.patch
> Implement functionality to create, renew and cancel delegation tokens.

This message was sent by Atlassian JIRA

Reply via email to