[
https://issues.apache.org/jira/browse/YARN-3287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14505910#comment-14505910
]
Zhijie Shen commented on YARN-3287:
-----------------------------------
It breaks the timeline access control of distributed shell. In distributed
shell AM:
{code}
if (conf.getBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED,
YarnConfiguration.DEFAULT_TIMELINE_SERVICE_ENABLED)) {
// Creating the Timeline Client
timelineClient = TimelineClient.createTimelineClient();
timelineClient.init(conf);
timelineClient.start();
} else {
timelineClient = null;
LOG.warn("Timeline service is not enabled");
}
{code}
{code}
ugi.doAs(new PrivilegedExceptionAction<TimelinePutResponse>() {
@Override
public TimelinePutResponse run() throws Exception {
return timelineClient.putEntities(entity);
}
});
{code}
This Jira changes the timeline client to get the right ugi at serviceInit, but
DS AM still doesn't use submitter ugi to init timeline client, but use the ugi
for each put entity call. It result in the wrong user of the put request.
> TimelineClient kerberos authentication failure uses wrong login context.
> ------------------------------------------------------------------------
>
> Key: YARN-3287
> URL: https://issues.apache.org/jira/browse/YARN-3287
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Jonathan Eagles
> Assignee: Daryn Sharp
> Fix For: 2.7.0
>
> Attachments: YARN-3287.1.patch, YARN-3287.2.patch, YARN-3287.3.patch,
> timeline.patch
>
>
> TimelineClientImpl:doPosting is not wrapped in a doAs, which can cause
> failure for yarn clients to create timeline domains during job submission.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
