Sevada Abraamyan created YARN-2892:

             Summary: Unable to get AMRMToken in unmanaged AM when using a 
secure cluster
                 Key: YARN-2892
             Project: Hadoop YARN
          Issue Type: Bug
          Components: resourcemanager
            Reporter: Sevada Abraamyan

An AMRMToken is retrieved from the ApplicationReport by the YarnClient. 
When the RM creates the ApplicationReport and sends it back to the client it 
makes a simple security check whether it should include the AMRMToken in the 
report (See createAndGetApplicationReport in RMAppImpl).This security check 
verifies that the user who submitted the original application is the same user 
who is requesting the ApplicationReport. If they are indeed the same user then 
it includes the AMRMToken, otherwise it does not include it.

The problem arises from the fact that when an application is submitted, the RM  
saves the short username of the user who created the application (See 
submitApplication in ClientRmService). Afterwards when the ApplicationReport is 
requested, the system tries to match the full username of the requester against 
the previously stored short username. 

In a secure cluster using Kerberos this check fails because the principle is 
stripped from the username when we request a short username. So for example the 
short username might be "Foo" whereas the full username is ""

Note: A very similar problem has been previously reported in the past in 

This message was sent by Atlassian JIRA

Reply via email to