Yongjun Zhang commented on YARN-3021:

Thanks [~qwertymaniac] for reporting the issue and providing patch.

A bit more info:

In DelegationTokenRenewer.java
   if (!tokenList.isEmpty()) {
      // Renewing token and adding it to timer calls are separated purposefully
      // If user provides incorrect token then it should not be added for
      // renewal.
      for (DelegationTokenToRenew dtr : tokenList) {
      for (DelegationTokenToRenew dtr : tokenList) {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Registering token for renewal for:" + " service = "
              + dtr.token.getService() + " for appId = " + dtr.applicationId);
It seems that YARN tries to fix an issue of MR1: instead of not checking the 
token when scheduling the job (MR1), YARN tries to do it based on the comment 
in the above code.

I posted a question to MAPREDUCE-2764 to see if there is way to control YARN, 
so YARN doesn't renew the token and let the client to do the renewal. Not sure 
whether it's feasible yet.



and the one after.


> YARN's delegation-token handling disallows certain trust setups to operate 
> properly
> -----------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to