Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-2232

ClientRMService doesn't allow delegation token owner to cancel their own token in secure mode

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.5.0
    • None
    • None
    • Reviewed

    Description

      The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens. The root cause is this piece of code from the cancelDelegationToken function -

      String user = getRenewerForToken(token);
      ...
      
      private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws IOException {
        UserGroupInformation user = UserGroupInformation.getCurrentUser();
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        // we can always renew our own tokens
        return loginUser.getUserName().equals(user.getUserName())
            ? token.decodeIdentifier().getRenewer().toString()
            : user.getShortUserName();
      }
      

      It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken expects the full user name. This bug occurs in secure mode and is not an issue with simple auth.

      Attachments

        1. apache-yarn-2232.2.patch
          10 kB
          Varun Vasudev
        2. apache-yarn-2232.1.patch
          6 kB
          Varun Vasudev
        3. apache-yarn-2232.0.patch
          6 kB
          Varun Vasudev

        Issue Links

          Activity

            People

              vvasudev Varun Vasudev
              vvasudev Varun Vasudev
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: