Yongjun Zhang commented on YARN-3021:

Many thanks Jian.

Change MR client to set null renewer for the token coming from a different 
In the special case that we are dealing with in this jira, cluster A and 
cluster B don't trust each other. However, in other scenarios, two clusters may 
trust each other. So we can't always set null renewer based on which cluster 
the token is from. 
Maybe we can combine our approaches, set null renewer for external cluster only 
{{-Dmapreduce.job.delegation.tokenrenewer.for.external.cluster=null}} is 
specified for a job?

Actually, YARN can also provide a constant string say "SKIP_RENEW_TOKEN", MR 
uses this string as the renewer for tokens it doesn't want to renew. RM detects 
if the renewer equals the constant string and skip renew if it is.
Maybe we can use string "null" for SKIP_RENEW_TOKEN? we need to document 
whatever string here as a special string so application don't use it for tokens 
that need to be renewed.

There is still chance of changing existing applications behavior for those who 
happen to set the renewer to our special string. So what about we still 
introduce {{yarn.resourcemanager.validate.tokenrenewer}} described in my last 
comment (enable renewer validation only when the config is true)?


> YARN's delegation-token handling disallows certain trust setups to operate 
> properly over DistCp
> -----------------------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, 
> YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to