Zhijie Shen commented on YARN-3725:

I'm proposing to do the following:

1. Short term fix for 2.7.1: Check if service address in timeline DT is empty 
or not. If empty, we fall back to use the configured service address. It will 
make app submission via REST API work in secure mode without additional DT 
process work unless users really want to renew the DT from somewhere other than 
the configure address. It shouldn't be common as we usually only setup one 
timeline server per YARN cluster.

2. Long term fix: we can do something similar to HDFS-6904. Let the client to 
pass in the service address, and set token's service address at server side 
before serializing it into a string. And this problem is not just limited to 
ATS. RM REST API doesn't set the service address for RM DT too. It's better to 
seek for a common solution. For example, we can fix 
DelegationTokenAuthenticationHandler to make all use cases of hadoop http auth 
component set the service addr properly. One step further, even RPC protocol 
may have the similar problem. For example, if we work with 
ApplicationClientProtocol directly, we should get an RM DT without service 
address (correct me if I'm wrong).


> App submission via REST API is broken in secure mode due to Timeline DT 
> service address is empty
> ------------------------------------------------------------------------------------------------
>                 Key: YARN-3725
>                 URL: https://issues.apache.org/jira/browse/YARN-3725
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager, timelineserver
>    Affects Versions: 2.7.0
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>            Priority: Blocker
> YARN-2971 changes TimelineClient to use the service address from Timeline DT 
> to renew the DT instead of configured address. This break the procedure of 
> submitting an YARN app via REST API in the secure mode.
> The problem is that service address is set by the client instead of the 
> server in Java code. REST API response is an encode token Sting, such that 
> it's so inconvenient to deserialize it and set the service address and 
> serialize it again. 

This message was sent by Atlassian JIRA

Reply via email to