[
https://issues.apache.org/jira/browse/YARN-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123678#comment-15123678
]
Steve Loughran commented on YARN-4629:
--------------------------------------
My variant
{code}
...
import static org.apache.hadoop.yarn.conf.YarnConfiguration.*;
....
public static String getRMPrincipal(Configuration conf) throws IOException {
String principal = conf.get(RM_PRINCIPAL, "");
String hostname;
Preconditions.checkState(!principal.isEmpty(), "Not set: " + RM_PRINCIPAL);
if (HAUtil.isHAEnabled(conf)) {
YarnConfiguration yarnConf = new YarnConfiguration(conf);
if (yarnConf.get(RM_HA_ID) == null) {
// If RM_HA_ID is not configured, use the first of RM_HA_IDS.
// Any valid RM HA ID should work.
String[] rmIds = yarnConf.getStrings(RM_HA_IDS);
Preconditions.checkState((rmIds != null) && (rmIds.length > 0),
"Not set " + RM_HA_IDS);
yarnConf.set(RM_HA_ID, rmIds[0]);
}
hostname = yarnConf.getSocketAddr(
RM_ADDRESS,
DEFAULT_RM_ADDRESS,
DEFAULT_RM_PORT).getHostName();
} else {
hostname = conf.getSocketAddr(
RM_ADDRESS,
DEFAULT_RM_ADDRESS,
DEFAULT_RM_PORT).getHostName();
}
return SecurityUtil.getServerPrincipal(principal, hostname);
}
{code}
> Distributed shell breaks under strong security
> ----------------------------------------------
>
> Key: YARN-4629
> URL: https://issues.apache.org/jira/browse/YARN-4629
> Project: Hadoop YARN
> Issue Type: Bug
> Components: applications/distributed-shell, security
> Affects Versions: 2.7.1
> Environment: Secure cluster with the RM principal listed with a
> /_HOST entry to be expanded, most common with YARN HA enabled.
> Reporter: Daniel Templeton
> Assignee: Daniel Templeton
> Attachments: YARN-4629.001.patch, YARN-4629.002.patch
>
>
> If the auth_to_local is set to map requests from unknown hosts to nobody, the
> dist shell app fails. The reason is that the client doesn't translate the
> _HOST placeholder to the local hostname.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
