Yongjun Zhang commented on YARN-3021:

Hi [~vinodkv] and [~jianhe],

Thank you so much for review and commenting!

I will try to respond to part of your comments here and keep looking into the 

RM can simply inspect the incoming renewer specified in the token and skip 
renewing those tokens if the renewer doesn't match it's own address. This way, 
we don't need an explicit API in the submission context.
Seems regardless of this jira, we could have do the above change, right? any 

Apologies for going back and forth on this one.
I appreciate the insight you provided, and we are trying to figure out the best 
solution together. All the points you provided are reasonable, so absolutely no 
need for apologies here.

Irrespective of how we decide to skip tokens, the way the patch is skipping 
renewal will not work. In secure mode, DelegationTokenRenewer drives the app 
state machine. So if you skip adding the app itself to DTR, the app will be 
I did test in a secure env and it worked. Would you please elaborate?

I think in this case, the renewer specified in the token is the same as the RM. 
IIUC, the JobClient will request the token from B cluster, but still specify 
the renewer as the A cluster RM (via the A cluster local config), am I right?
I think that's the case. The problem is that there is no trust between A and B. 
So "common" should be the one to renew the token.


> YARN's delegation-token handling disallows certain trust setups to operate 
> properly
> -----------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, 
> YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to