Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-3725

App submission via REST API is broken in secure mode due to Timeline DT service address is empty

    Details

    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      YARN-2971 changes TimelineClient to use the service address from Timeline DT to renew the DT instead of configured address. This break the procedure of submitting an YARN app via REST API in the secure mode.

      The problem is that service address is set by the client instead of the server in Java code. REST API response is an encode token Sting, such that it's so inconvenient to deserialize it and set the service address and serialize it again.

      1. YARN-3725.1.patch
        6 kB
        Zhijie Shen
      2. YARN-3725-branch-2.6.1.txt
        7 kB
        Vinod Kumar Vavilapalli

        Issue Links

          Activity

          Hide
          zjshen Zhijie Shen added a comment -

          I'm proposing to do the following:

          1. Short term fix for 2.7.1: Check if service address in timeline DT is empty or not. If empty, we fall back to use the configured service address. It will make app submission via REST API work in secure mode without additional DT process work unless users really want to renew the DT from somewhere other than the configure address. It shouldn't be common as we usually only setup one timeline server per YARN cluster.

          2. Long term fix: we can do something similar to HDFS-6904. Let the client to pass in the service address, and set token's service address at server side before serializing it into a string. And this problem is not just limited to ATS. RM REST API doesn't set the service address for RM DT too. It's better to seek for a common solution. For example, we can fix DelegationTokenAuthenticationHandler to make all use cases of hadoop http auth component set the service addr properly. One step further, even RPC protocol may have the similar problem. For example, if we work with ApplicationClientProtocol directly, we should get an RM DT without service address (correct me if I'm wrong).

          Thoughts?

          Show
          zjshen Zhijie Shen added a comment - I'm proposing to do the following: 1. Short term fix for 2.7.1: Check if service address in timeline DT is empty or not. If empty, we fall back to use the configured service address. It will make app submission via REST API work in secure mode without additional DT process work unless users really want to renew the DT from somewhere other than the configure address. It shouldn't be common as we usually only setup one timeline server per YARN cluster. 2. Long term fix: we can do something similar to HDFS-6904 . Let the client to pass in the service address, and set token's service address at server side before serializing it into a string. And this problem is not just limited to ATS. RM REST API doesn't set the service address for RM DT too. It's better to seek for a common solution. For example, we can fix DelegationTokenAuthenticationHandler to make all use cases of hadoop http auth component set the service addr properly. One step further, even RPC protocol may have the similar problem. For example, if we work with ApplicationClientProtocol directly, we should get an RM DT without service address (correct me if I'm wrong). Thoughts?
          Hide
          zjshen Zhijie Shen added a comment -

          Put the patch of a short term fix for the regression on 2.7.

          Show
          zjshen Zhijie Shen added a comment - Put the patch of a short term fix for the regression on 2.7.
          Hide
          hadoopqa Hadoop QA added a comment -



          +1 overall



          Vote Subsystem Runtime Comment
          0 pre-patch 14m 35s Pre-patch trunk compilation is healthy.
          +1 @author 0m 0s The patch does not contain any @author tags.
          +1 tests included 0m 0s The patch appears to include 1 new or modified test files.
          +1 javac 7m 33s There were no new javac warning messages.
          +1 javadoc 9m 37s There were no new javadoc warning messages.
          +1 release audit 0m 22s The applied patch does not increase the total number of release audit warnings.
          +1 checkstyle 1m 18s There were no new checkstyle issues.
          +1 whitespace 0m 1s The patch has no lines that end in whitespace.
          +1 install 1m 33s mvn install still works.
          +1 eclipse:eclipse 0m 33s The patch built with eclipse:eclipse.
          +1 findbugs 2m 13s The patch does not introduce any new Findbugs (version 3.0.0) warnings.
          +1 yarn tests 1m 58s Tests passed in hadoop-yarn-common.
          +1 yarn tests 3m 3s Tests passed in hadoop-yarn-server-applicationhistoryservice.
              42m 50s  



          Subsystem Report/Notes
          Patch URL http://issues.apache.org/jira/secure/attachment/12735786/YARN-3725.1.patch
          Optional Tests javadoc javac unit findbugs checkstyle
          git revision trunk / 5450413
          hadoop-yarn-common test log https://builds.apache.org/job/PreCommit-YARN-Build/8110/artifact/patchprocess/testrun_hadoop-yarn-common.txt
          hadoop-yarn-server-applicationhistoryservice test log https://builds.apache.org/job/PreCommit-YARN-Build/8110/artifact/patchprocess/testrun_hadoop-yarn-server-applicationhistoryservice.txt
          Test Results https://builds.apache.org/job/PreCommit-YARN-Build/8110/testReport/
          Java 1.7.0_55
          uname Linux asf909.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Console output https://builds.apache.org/job/PreCommit-YARN-Build/8110/console

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall Vote Subsystem Runtime Comment 0 pre-patch 14m 35s Pre-patch trunk compilation is healthy. +1 @author 0m 0s The patch does not contain any @author tags. +1 tests included 0m 0s The patch appears to include 1 new or modified test files. +1 javac 7m 33s There were no new javac warning messages. +1 javadoc 9m 37s There were no new javadoc warning messages. +1 release audit 0m 22s The applied patch does not increase the total number of release audit warnings. +1 checkstyle 1m 18s There were no new checkstyle issues. +1 whitespace 0m 1s The patch has no lines that end in whitespace. +1 install 1m 33s mvn install still works. +1 eclipse:eclipse 0m 33s The patch built with eclipse:eclipse. +1 findbugs 2m 13s The patch does not introduce any new Findbugs (version 3.0.0) warnings. +1 yarn tests 1m 58s Tests passed in hadoop-yarn-common. +1 yarn tests 3m 3s Tests passed in hadoop-yarn-server-applicationhistoryservice.     42m 50s   Subsystem Report/Notes Patch URL http://issues.apache.org/jira/secure/attachment/12735786/YARN-3725.1.patch Optional Tests javadoc javac unit findbugs checkstyle git revision trunk / 5450413 hadoop-yarn-common test log https://builds.apache.org/job/PreCommit-YARN-Build/8110/artifact/patchprocess/testrun_hadoop-yarn-common.txt hadoop-yarn-server-applicationhistoryservice test log https://builds.apache.org/job/PreCommit-YARN-Build/8110/artifact/patchprocess/testrun_hadoop-yarn-server-applicationhistoryservice.txt Test Results https://builds.apache.org/job/PreCommit-YARN-Build/8110/testReport/ Java 1.7.0_55 uname Linux asf909.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Console output https://builds.apache.org/job/PreCommit-YARN-Build/8110/console This message was automatically generated.
          Hide
          zjshen Zhijie Shen added a comment -

          Jonathan Eagles, would you please take a look at this jira?

          Show
          zjshen Zhijie Shen added a comment - Jonathan Eagles , would you please take a look at this jira?
          Hide
          jianhe Jian He added a comment -

          lgtm, +1

          Show
          jianhe Jian He added a comment - lgtm, +1
          Hide
          jeagles Jonathan Eagles added a comment -

          This short term approach seems fine with me as a work around until a long term fix can be made.

          +1.

          Show
          jeagles Jonathan Eagles added a comment - This short term approach seems fine with me as a work around until a long term fix can be made. +1.
          Hide
          leftnoteasy Wangda Tan added a comment -

          +1, committing..

          Show
          leftnoteasy Wangda Tan added a comment - +1, committing..
          Hide
          leftnoteasy Wangda Tan added a comment -

          Committed to trunk/branch-2/branch-2.7.
          Thanks Zhijie Shen and review from Jian He/Jonathan Eagles.

          Show
          leftnoteasy Wangda Tan added a comment - Committed to trunk/branch-2/branch-2.7. Thanks Zhijie Shen and review from Jian He / Jonathan Eagles .
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-trunk-Commit #7938 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7938/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #7938 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7938/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #215 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/215/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #215 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/215/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java hadoop-yarn-project/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk #945 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/945/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk #945 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/945/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java hadoop-yarn-project/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Hdfs-trunk #2143 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2143/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk #2143 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2143/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Hdfs-trunk-Java8 #204 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/204/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk-Java8 #204 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/204/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Mapreduce-trunk-Java8 #213 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/213/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Mapreduce-trunk-Java8 #213 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/213/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java hadoop-yarn-project/CHANGES.txt
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Mapreduce-trunk #2161 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2161/)
          YARN-3725. App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java
          • hadoop-yarn-project/CHANGES.txt
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Mapreduce-trunk #2161 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2161/ ) YARN-3725 . App submission via REST API is broken in secure mode due to Timeline DT service address is empty. (Zhijie Shen via wangda) (wangda: rev 5cc3fced957a8471733e0e9490878bd68429fe24) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java hadoop-yarn-project/CHANGES.txt
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          Zhijie Shen, is there a JIRA for the longer term fix?

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - Zhijie Shen , is there a JIRA for the longer term fix?
          Hide
          zjshen Zhijie Shen added a comment -

          is there a JIRA for the longer term fix?

          Yeah, I've filed YARN-3761 previously.

          Show
          zjshen Zhijie Shen added a comment - is there a JIRA for the longer term fix? Yeah, I've filed YARN-3761 previously.
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          Pulled this into 2.6.1 after fixing a few merge issues.

          Ran compilation and TestTimelineAuthenticationFilter before the push.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - Pulled this into 2.6.1 after fixing a few merge issues. Ran compilation and TestTimelineAuthenticationFilter before the push.
          Hide
          vinodkv Vinod Kumar Vavilapalli added a comment -

          Attaching the 2.6.1 patch that I committed.

          Show
          vinodkv Vinod Kumar Vavilapalli added a comment - Attaching the 2.6.1 patch that I committed.

            People

            • Assignee:
              zjshen Zhijie Shen
              Reporter:
              zjshen Zhijie Shen
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development