Yongjun Zhang commented on YARN-3021:

HI [~jianhe] and all,

I resumed working on this and found an obstacle here. 

See org.apache.hadoop.security.token.Token:

 private synchronized TokenRenewer getRenewer() throws IOException {
    if (renewer != null) {
      return renewer;
    renewer = TRIVIAL_RENEWER;
    synchronized (renewers) {
      for (TokenRenewer canidate : renewers) {
        if (canidate.handleKind(this.kind)) {
          renewer = canidate;
          return renewer;
    LOG.warn("No TokenRenewer defined for token kind " + this.kind);
    return renewer;

 public boolean isManaged() throws IOException {
    return getRenewer().isManaged(this);

  public long renew(Configuration conf
                    ) throws IOException, InterruptedException {
    return getRenewer().renew(this, conf);
  public void cancel(Configuration conf
                     ) throws IOException, InterruptedException {
    getRenewer().cancel(this, conf);


We can see that {{getRenewer()}} does more work than simply return the renewer. 
And non-null renewer is guaranteed to be returned currently. The other methods 
(listed above, called at server side) count on this behavior.

If we set the renewer to null at client side and expect the server to pick it 
up, we need to do either

1. change the behaviour of {{getRenewer()} to return whatever renewer set by 
2. or we change the token's {{kind}} to make {{getRenewer}} to return null, 
which will be really hacky.

Making this kind of change seems to be more wide impact than expected, and 
things likely will broken by this change.

Any thoughts?

Thanks a lot.

> YARN's delegation-token handling disallows certain trust setups to operate 
> properly over DistCp
> -----------------------------------------------------------------------------------------------
>                 Key: YARN-3021
>                 URL: https://issues.apache.org/jira/browse/YARN-3021
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0
>            Reporter: Harsh J
>         Attachments: YARN-3021.001.patch, YARN-3021.002.patch, 
> YARN-3021.003.patch, YARN-3021.patch
> Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, 
> and B trusts COMMON (one way trusts both), and both A and B run HDFS + YARN 
> clusters.
> Now if one logs in with a COMMON credential, and runs a job on A's YARN that 
> needs to access B's HDFS (such as a DistCp), the operation fails in the RM, 
> as it attempts a renewDelegationToken(…) synchronously during application 
> submission (to validate the managed token before it adds it to a scheduler 
> for automatic renewal). The call obviously fails cause B realm will not trust 
> A's credentials (here, the RM's principal is the renewer).
> In the 1.x JobTracker the same call is present, but it is done asynchronously 
> and once the renewal attempt failed we simply ceased to schedule any further 
> attempts of renewals, rather than fail the job immediately.
> We should change the logic such that we attempt the renewal but go easy on 
> the failure and skip the scheduling alone, rather than bubble back an error 
> to the client, failing the app submission. This way the old behaviour is 
> retained.

This message was sent by Atlassian JIRA

Reply via email to