Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-2232

ClientRMService doesn't allow delegation token owner to cancel their own token in secure mode

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens. The root cause is this piece of code from the cancelDelegationToken function -

      String user = getRenewerForToken(token);
      ...
      
      private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws IOException {
        UserGroupInformation user = UserGroupInformation.getCurrentUser();
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        // we can always renew our own tokens
        return loginUser.getUserName().equals(user.getUserName())
            ? token.decodeIdentifier().getRenewer().toString()
            : user.getShortUserName();
      }
      

      It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken expects the full user name. This bug occurs in secure mode and is not an issue with simple auth.

        Attachments

        1. apache-yarn-2232.0.patch
          6 kB
          Varun Vasudev
        2. apache-yarn-2232.1.patch
          6 kB
          Varun Vasudev
        3. apache-yarn-2232.2.patch
          10 kB
          Varun Vasudev

          Issue Links

            Activity

              People

              • Assignee:
                vvasudev Varun Vasudev
                Reporter:
                vvasudev Varun Vasudev
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: