[
https://issues.apache.org/jira/browse/YARN-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14276438#comment-14276438
]
Yongjun Zhang commented on YARN-3021:
-------------------------------------
Thanks a lot [~adhoot] and [~vinodkv]!
{quote}
Having said that, if RM cannot validate the token as valid why would the job
itself work? Would not the containers themselves face the same issue using the
tokens?
{quote}
Based on the scenario [~qwertymaniac] described in the jira description, the
token is from realm B, which can not be validated by realm A's YARN since A and
B doesn't trust each other. However, the token can be used by distcp job
running in realm A to access B's file (B is the distcp source).
For the scenario described in the jira, I think we are aligned that it would be
better to add an additional parameter at the time of job submission, so client
to can tell YARN explicitly that YARN should not try to renew the token.
What I wanted to clarify with my earlier question was, if we support this
scenario by having YARN not to validate the token, do we open any security
hole? Anyone could submit a job and ask YARN not to renew the token, right?
Thanks.
> YARN's delegation-token handling disallows certain trust setups to operate
> properly
> -----------------------------------------------------------------------------------
>
> Key: YARN-3021
> URL: https://issues.apache.org/jira/browse/YARN-3021
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Reporter: Harsh J
> Attachments: YARN-3021.patch
>
>
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON,
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM,
> as it attempts a renewDelegationToken(…) synchronously during application
> submission (to validate the managed token before it adds it to a scheduler
> for automatic renewal). The call obviously fails cause B realm will not trust
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously
> and once the renewal attempt failed we simply ceased to schedule any further
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on
> the failure and skip the scheduling alone, rather than bubble back an error
> to the client, failing the app submission. This way the old behaviour is
> retained.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
