Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-2232

ClientRMService doesn't allow delegation token owner to cancel their own token in secure mode

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens. The root cause is this piece of code from the cancelDelegationToken function -

      String user = getRenewerForToken(token);
      ...
      
      private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws IOException {
        UserGroupInformation user = UserGroupInformation.getCurrentUser();
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        // we can always renew our own tokens
        return loginUser.getUserName().equals(user.getUserName())
            ? token.decodeIdentifier().getRenewer().toString()
            : user.getShortUserName();
      }
      

      It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken expects the full user name. This bug occurs in secure mode and is not an issue with simple auth.

        Attachments

        1. apache-yarn-2232.0.patch
          6 kB
          Varun Vasudev
        2. apache-yarn-2232.1.patch
          6 kB
          Varun Vasudev
        3. apache-yarn-2232.2.patch
          10 kB
          Varun Vasudev

        Issue Links

          Activity

          $i18n.getText('security.level.explanation', $currentSelection) Viewable by All Users
          Cancel

            People

            • Assignee:
              vvasudev Varun Vasudev Assign to me
              Reporter:
              vvasudev Varun Vasudev

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment