Yongjun Zhang commented on YARN-3021:

Hi [~jianhe],

Thanks a lot for your comments.

I discussed with [~adhoot], below is what we thought:

we may choose to add a server-side config to not let application fail if 
renewal fails
The change is to let RM ignore token renewal failure, this means all 
applications will be impacted by this change since it's a server side config.  
What Harsh did in the initial patch is to ignore renewal failure in a hardcoded 
way.  What my earlier patch does is to skip renewing instead of ignore token 
renewal failure. 

We think skipping renewal seems better than ignoring renewal failure, because 
we are also talking about adding external renewer in the future, and these two 
changes will be compatible. Say, there might be renewal failure with external 
renewer, which we don't want to ignore.

2. API change in the current patch. It's an optional parameter, so it's 
compatible change. Consider it's also matching our future extension of 
introducing external renewer, it seems ok to have the API change.


Many thanks.

> YARN's delegation-token handling disallows certain trust setups to operate 
> properly over DistCp
> -----------------------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, 
> YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to