[ https://issues.apache.org/jira/browse/YARN-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050753#comment-14050753 ]
Hudson commented on YARN-2232: ------------------------------ SUCCESS: Integrated in Hadoop-trunk-Commit #5812 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/5812/]) YARN-2232. Fixed ResourceManager to allow DelegationToken owners to be able to cancel their own tokens in secure mode. Contributed by Varun Vasudev. (vinodkv: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1607484) * /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java > ClientRMService doesn't allow delegation token owner to cancel their own > token in secure mode > --------------------------------------------------------------------------------------------- > > Key: YARN-2232 > URL: https://issues.apache.org/jira/browse/YARN-2232 > Project: Hadoop YARN > Issue Type: Bug > Reporter: Varun Vasudev > Assignee: Varun Vasudev > Fix For: 2.5.0 > > Attachments: apache-yarn-2232.0.patch, apache-yarn-2232.1.patch, > apache-yarn-2232.2.patch > > > The ClientRMSerivce doesn't allow delegation token owners to cancel their own > tokens. The root cause is this piece of code from the cancelDelegationToken > function - > {noformat} > String user = getRenewerForToken(token); > ... > private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) > throws IOException { > UserGroupInformation user = UserGroupInformation.getCurrentUser(); > UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); > // we can always renew our own tokens > return loginUser.getUserName().equals(user.getUserName()) > ? token.decodeIdentifier().getRenewer().toString() > : user.getShortUserName(); > } > {noformat} > It ends up passing the user short name to the cancelToken function whereas > AbstractDelegationTokenSecretManager::cancelToken expects the full user name. > This bug occurs in secure mode and is not an issue with simple auth. -- This message was sent by Atlassian JIRA (v6.2#6252)