[ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194982#comment-14194982 ]
Zhijie Shen commented on YARN-2798: ----------------------------------- I don't have a quick setup for RM HA and secure cluster, but the mapping rule is applied every where in this cluster, I think it should work fine. > YarnClient doesn't need to translate Kerberos name of timeline DT renewer > ------------------------------------------------------------------------- > > Key: YARN-2798 > URL: https://issues.apache.org/jira/browse/YARN-2798 > Project: Hadoop YARN > Issue Type: Bug > Components: timelineserver > Reporter: Arpit Gupta > Assignee: Zhijie Shen > Priority: Blocker > Attachments: YARN-2798.1.patch, YARN-2798.2.patch > > > Now YarnClient will automatically get a timeline DT when submitting an app in > a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get > the RM daemon operating system user. However, the RM principal and > auth_to_local may not be properly presented to the client, and the client > cannot translate the principal to the daemon user properly. On the other > hand, AbstractDelegationTokenIdentifier will do this translation when create > the token. However, since the client has already translated the full > principal into a short user name (which may not be correct), the server can > no longer apply the translation any more, where RM principal and > auth_to_local are always correct. -- This message was sent by Atlassian JIRA (v6.3.4#6332)