There are a couple aspects of the SecureStoreUpdater mechanism that should be improved:
- When using YarnUtils.addDelegationTokens() to refresh delegation tokens for an application, the calling code must provide a new Credentials instance to ensure that new tokens are fetched for HDFS and the YARN RM. If a token already exists in the given Credentials that matches the derived service name, a new token will not be requested. We should at least clearly document this behavior, and possibly refactor the API so that a Credentials instance does not need to be provided, and so that new tokens are obtained by default.
- When multiple SecureStoreUpdater instances are in use, since all credentials are written to the same file in HDFS, it seems to be possible for each updater to overwrite the currently saved credentials. From testing, this seems to happen, even though YarnTwillRunnerService.updateCredentials() has code to read in the existing credentials file and merge the provided credentials to it. More testing and debugging is needed to determine if this could be due to a race condition or another bug in the code.