Zhijie Shen commented on YARN-2563:

When submitting an app in a secure mode, YarnClient will automatically obtain a 
timeline DT from the timeline server. This communication needs to pass Kerberos 
authentication. It works at the client side, which has Kerberos setup. In a 
container (either of AM or a specific task), the process doesn't do Kerberos 
login, such that it is not able to pass Kerberos authentication to get the 
timeline DT. In this scenario, Oozie is starting a MR job inside the MR mapper 
container, such that it fails to pass Kerberos authentication enforced by the 
timeline server.

However, the expected behavior is that YarnClient only grab a timeline DT when 
it is not found when submitting a app, and the DT will be put into the 
credentials of ContainerLaunchContext, and passed to AM and the remaining MR 
tasks' containers. Hence when Oozie wants to launch to a RM job from there, it 
should already have the DT, and don't need to invoke getTimelineDelegationToken 

It seems that YarnClientImpl.addTimelineDelegationToken has a bug. No matter 
the DT is already in the credentials or not, YarnClientImpl will always grab 
one, but only put it into the credentials when the DT is not there. The right 
behavior should be: when the DT is already in credentials, we even shouldn't 
invoke getTimelineDelegationToken. I'll create a patch to fix the bug.

> On secure clusters call to timeline server fails with authentication errors 
> when running a job via oozie
> --------------------------------------------------------------------------------------------------------
>                 Key: YARN-2563
>                 URL: https://issues.apache.org/jira/browse/YARN-2563
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineserver
>    Affects Versions: 2.6.0
>            Reporter: Arpit Gupta
>            Assignee: Zhijie Shen
>            Priority: Blocker
> During our nightlies on a secure cluster we have seen oozie jobs fail with 
> authentication error to the time line server.

This message was sent by Atlassian JIRA

Reply via email to