[ https://issues.apache.org/jira/browse/YARN-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14347026#comment-14347026 ]
Yongjun Zhang commented on YARN-3021: ------------------------------------- Many thanks Jian. {quote} Change MR client to set null renewer for the token coming from a different cluster {quote} In the special case that we are dealing with in this jira, cluster A and cluster B don't trust each other. However, in other scenarios, two clusters may trust each other. So we can't always set null renewer based on which cluster the token is from. Maybe we can combine our approaches, set null renewer for external cluster only when {{-Dmapreduce.job.delegation.tokenrenewer.for.external.cluster=null}} is specified for a job? {quote} Actually, YARN can also provide a constant string say "SKIP_RENEW_TOKEN", MR uses this string as the renewer for tokens it doesn't want to renew. RM detects if the renewer equals the constant string and skip renew if it is. {quote} Maybe we can use string "null" for SKIP_RENEW_TOKEN? we need to document whatever string here as a special string so application don't use it for tokens that need to be renewed. There is still chance of changing existing applications behavior for those who happen to set the renewer to our special string. So what about we still introduce {{yarn.resourcemanager.validate.tokenrenewer}} described in my last comment (enable renewer validation only when the config is true)? Thanks. > YARN's delegation-token handling disallows certain trust setups to operate > properly over DistCp > ----------------------------------------------------------------------------------------------- > > Key: YARN-3021 > URL: https://issues.apache.org/jira/browse/YARN-3021 > Project: Hadoop YARN > Issue Type: Bug > Components: security > Affects Versions: 2.3.0 > Reporter: Harsh J > Attachments: YARN-3021.001.patch, YARN-3021.002.patch, > YARN-3021.003.patch, YARN-3021.patch > > > Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, > and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN > clusters. > Now if one logs in with a COMMON credential, and runs a job on A's YARN that > needs to access B's HDFS (such as a DistCp), the operation fails in the RM, > as it attempts a renewDelegationToken(…) synchronously during application > submission (to validate the managed token before it adds it to a scheduler > for automatic renewal). The call obviously fails cause B realm will not trust > A's credentials (here, the RM's principal is the renewer). > In the 1.x JobTracker the same call is present, but it is done asynchronously > and once the renewal attempt failed we simply ceased to schedule any further > attempts of renewals, rather than fail the job immediately. > We should change the logic such that we attempt the renewal but go easy on > the failure and skip the scheduling alone, rather than bubble back an error > to the client, failing the app submission. This way the old behaviour is > retained. -- This message was sent by Atlassian JIRA (v6.3.4#6332)