Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-2798

YarnClient doesn't need to translate Kerberos name of timeline DT renewer

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.0
    • Component/s: timelineserver
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct.

        Attachments

        1. YARN-2798.1.patch
          6 kB
          Zhijie Shen
        2. YARN-2798.2.patch
          7 kB
          Zhijie Shen

          Activity

            People

            • Assignee:
              zjshen Zhijie Shen
              Reporter:
              arpitgupta Arpit Gupta
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: