[YARN-10339] Timeline Client in Nodemanager gets 403 errors when simple auth is used in kerberos environments - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0
Fix Version/s: 3.4.0
Component/s: timelineclient
Labels:
None

Description

We get below errors in NodeManager logs whenever we set yarn.timeline-service.http-authentication.type=simple in a cluster which has kerberos enabled. There are use cases where simple auth is used only in timeline server for convenience although kerberos is enabled.

2020-05-20 20:06:30,181 ERROR impl.TimelineV2ClientImpl (TimelineV2ClientImpl.java:putObjects(321)) - Response from the timeline server is not successful, HTTP error code: 403, Server response:

{"exception":"ForbiddenException","message":"java.lang.Exception: The owner of the posted timeline entities is not set","javaClassName":"org.apache.hadoop.yarn.webapp.ForbiddenException"}

This seems to affect the NM timeline publisher which uses TimelineV2ClientImpl. Doing a simple auth directly to timeline service via curl works fine. So this issue is in the authenticator configuration in timeline client.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-10339.001.patch
06/Jul/20 12:43
12 kB
Tarun Parimi
YARN-10339.002.patch
07/Jul/20 07:54
20 kB
Tarun Parimi

Issue Links

breaks

YARN-10362 Javadoc for TimelineReaderAuthenticationFilterInitializer is broken

Resolved

causes

YARN-10816 Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple

Resolved

Activity

People

Assignee:: Tarun Parimi

Reporter:: Tarun Parimi

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 06/Jul/20 12:30

Updated:: 10/Jun/21 04:47

Resolved:: 16/Jul/20 18:15