Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13251

Authenticate with Kerberos credentials when renewing KMS delegation token

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.0
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: kms
    • Labels:
      None
    • Target Version/s:

      Description

      Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation.
      In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch.

        Attachments

        1. HADOOP-13251.10.patch
          19 kB
          Xiao Chen
        2. HADOOP-13251.09.patch
          16 kB
          Xiao Chen
        3. HADOOP-13251.08.patch
          17 kB
          Xiao Chen
        4. HADOOP-13251.08.patch
          17 kB
          Xiao Chen
        5. HADOOP-13251.07.patch
          17 kB
          Xiao Chen
        6. HADOOP-13251.06.patch
          17 kB
          Xiao Chen
        7. HADOOP-13251.05.patch
          16 kB
          Xiao Chen
        8. HADOOP-13251.04.patch
          15 kB
          Xiao Chen
        9. HADOOP-13251.03.patch
          15 kB
          Xiao Chen
        10. HADOOP-13251.02.patch
          15 kB
          Xiao Chen
        11. HADOOP-13251.01.patch
          15 kB
          Xiao Chen
        12. HADOOP-13251.innocent.patch
          0.8 kB
          Xiao Chen

          Issue Links

            Activity

              People

              • Assignee:
                xiaochen Xiao Chen
                Reporter:
                xiaochen Xiao Chen
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: