[ 
https://issues.apache.org/jira/browse/YARN-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051335#comment-14051335
 ] 

Hudson commented on YARN-2232:
------------------------------

SUCCESS: Integrated in Hadoop-Yarn-trunk #602 (See 
[https://builds.apache.org/job/Hadoop-Yarn-trunk/602/])
YARN-2232. Fixed ResourceManager to allow DelegationToken owners to be able to 
cancel their own tokens in secure mode. Contributed by Varun Vasudev. (vinodkv: 
http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1607484)
* /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt
* 
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
* 
/hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java


> ClientRMService doesn't allow delegation token owner to cancel their own 
> token in secure mode
> ---------------------------------------------------------------------------------------------
>
>                 Key: YARN-2232
>                 URL: https://issues.apache.org/jira/browse/YARN-2232
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>             Fix For: 2.5.0
>
>         Attachments: apache-yarn-2232.0.patch, apache-yarn-2232.1.patch, 
> apache-yarn-2232.2.patch
>
>
> The ClientRMSerivce doesn't allow delegation token owners to cancel their own 
> tokens. The root cause is this piece of code from the cancelDelegationToken 
> function -
> {noformat}
> String user = getRenewerForToken(token);
> ...
> private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) 
> throws IOException {
>   UserGroupInformation user = UserGroupInformation.getCurrentUser();
>   UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
>   // we can always renew our own tokens
>   return loginUser.getUserName().equals(user.getUserName())
>       ? token.decodeIdentifier().getRenewer().toString()
>       : user.getShortUserName();
> }
> {noformat}
> It ends up passing the user short name to the cancelToken function whereas 
> AbstractDelegationTokenSecretManager::cancelToken expects the full user name. 
> This bug occurs in secure mode and is not an issue with simple auth.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to