Jian He commented on YARN-3021:

bq. Consider it's also matching our future extension of introducing external 
If this API is needed in the future, we can definitely do as the current patch 
does. My only concern is not to add a user-facing API only used for short-term. 
 What I have in mind is that, in the long term we can 
1. Change MR client to set the correct renewer for a given token, either 
pointing to a central renewal service or RM itself.  Today JobClient is blindly 
setting the renewer of all tokens with the local RM config which is wrong in 
the first place.
2. RM checks if the token renewer is itself; Renew if it is, skip renewing 

Thinking more, how about this approach:
1. Change MR client to set null renewer for the token coming from a different 
cluster (meaning no renewer for this token which is true in real scenario). 
This is more or less equivalent to explicitly adding a flag to inform RM wether 
to renew as current patch does
2. RM implements the logic to only renew its own token. 

> YARN's delegation-token handling disallows certain trust setups to operate 
> properly over DistCp
> -----------------------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, 
> YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to