[YARN-2232] ClientRMService doesn't allow delegation token owner to cancel their own token in secure mode - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.5.0
Component/s: None
Labels:
None

Target Version/s:

2.5.0
Hadoop Flags:

Reviewed

Description

The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens. The root cause is this piece of code from the cancelDelegationToken function -

String user = getRenewerForToken(token);
...

private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws IOException {
  UserGroupInformation user = UserGroupInformation.getCurrentUser();
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  // we can always renew our own tokens
  return loginUser.getUserName().equals(user.getUserName())
      ? token.decodeIdentifier().getRenewer().toString()
      : user.getShortUserName();
}

It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken expects the full user name. This bug occurs in secure mode and is not an issue with simple auth.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

apache-yarn-2232.2.patch
01/Jul/14 06:07
10 kB
Varun Vasudev
apache-yarn-2232.1.patch
30/Jun/14 12:33
6 kB
Varun Vasudev
apache-yarn-2232.0.patch
30/Jun/14 11:53
6 kB
Varun Vasudev

Issue Links

blocks

YARN-2233 Implement web services to create, renew and cancel delegation tokens

Closed

Activity

People

Assignee:: Varun Vasudev

Reporter:: Varun Vasudev

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 30/Jun/14 11:51

Updated:: 15/Aug/14 05:44

Resolved:: 02/Jul/14 21:37