Sevada Abraamyan created YARN-2892:
Summary: Unable to get AMRMToken in unmanaged AM when using a
Project: Hadoop YARN
Issue Type: Bug
Reporter: Sevada Abraamyan
An AMRMToken is retrieved from the ApplicationReport by the YarnClient.
When the RM creates the ApplicationReport and sends it back to the client it
makes a simple security check whether it should include the AMRMToken in the
report (See createAndGetApplicationReport in RMAppImpl).This security check
verifies that the user who submitted the original application is the same user
who is requesting the ApplicationReport. If they are indeed the same user then
it includes the AMRMToken, otherwise it does not include it.
The problem arises from the fact that when an application is submitted, the RM
saves the short username of the user who created the application (See
submitApplication in ClientRmService). Afterwards when the ApplicationReport is
requested, the system tries to match the full username of the requester against
the previously stored short username.
In a secure cluster using Kerberos this check fails because the principle is
stripped from the username when we request a short username. So for example the
short username might be "Foo" whereas the full username is "f...@company.com"
Note: A very similar problem has been previously reported in the past in
This message was sent by Atlassian JIRA