Jonathan Eagles commented on YARN-3287:

[~zjshen], the cache ugi is to mach the usage of other clients such as 
dfsclient. In this case, there is a latent bug that is fixed that prevents 
makes you think that reusing a client in different doAs contexts is correct. 
However, the delegation token is only valid for the initial connection. The 
tests are modified to show this correct usage. Daryn mentioned the realUgi != 
null can be a better check since the PROXY word can be manipulated by some 
scenarios that will cause it to fail.

Patch is up and runs successfully on my box. I have reused the minikdc access 
the parameterized run to cut the test time down considerably.


> TimelineClient kerberos authentication failure uses wrong login context.
> ------------------------------------------------------------------------
>                 Key: YARN-3287
>                 URL: https://issues.apache.org/jira/browse/YARN-3287
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jonathan Eagles
>            Assignee: Daryn Sharp
>         Attachments: YARN-3287.1.patch, timeline.patch
> TimelineClientImpl:doPosting is not wrapped in a doAs, which can cause 
> failure for yarn clients to create timeline domains during job submission.

This message was sent by Atlassian JIRA

Reply via email to