Zhijie Shen updated YARN-2798:
    Attachment: YARN-2798.1.patch

Created patch to remove the translation logic from the client, and at the 
client side we just need to ensure _HOST is going to be mapped to the right 
timeline server. Add the test cases to verify the responsibility at both the 
client and server-side DT creating.

Please note that to make this work, core-site.xml and yarn-site.xml that are 
presented to the timeline server should have proper auth_to_local and rm 
principal configurations.

> YarnClient doesn't need to translate Kerberos name of timeline DT renewer
> -------------------------------------------------------------------------
>                 Key: YARN-2798
>                 URL: https://issues.apache.org/jira/browse/YARN-2798
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineserver
>            Reporter: Arpit Gupta
>            Assignee: Zhijie Shen
>            Priority: Blocker
>         Attachments: YARN-2798.1.patch
> Now YarnClient will automatically get a timeline DT when submitting an app in 
> a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get 
> the RM daemon operating system user. However, the RM principal and 
> auth_to_local may not be properly presented to the client, and the client 
> cannot translate the principal to the daemon user properly. On the other 
> hand, AbstractDelegationTokenIdentifier will do this translation when create 
> the token. However, since the client has already translated the full 
> principal into a short user name (which may not be correct), the server can 
> no longer apply the translation any more, where RM principal and 
> auth_to_local are always correct.

This message was sent by Atlassian JIRA

Reply via email to