Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-6602

Impersonation does not work if standby RM is contacted first

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-alpha4
    • Fix Version/s: 2.9.0, 3.0.0-alpha4
    • Component/s: client
    • Labels:
      None

      Description

      When RM HA is enabled, impersonation does not work correctly if the Yarn Client connects to the standby RM first. When this happens, the impersonation is "lost" and the client does things on behalf of the impersonator user. We saw this with the OOZIE-1770 Oozie on Yarn feature.

      I need to investigate this some more, but it appears to be related to delegation tokens. When this issue occurs, the tokens have the owner as "oozie" instead of the actual user. On a hunch, we found a workaround that explicitly adding a correct RM HA delegation token fixes the problem:

      org.apache.hadoop.yarn.api.records.Token token = yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf));
      org.apache.hadoop.security.token.Token token2 = new org.apache.hadoop.security.token.Token(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
      UserGroupInformation.getCurrentUser().addToken(token2);
      

        Attachments

        1. YARN-6602.001.patch
          14 kB
          Robert Kanter
        2. YARN-6602.002.patch
          14 kB
          Robert Kanter

          Activity

            People

            • Assignee:
              rkanter Robert Kanter
              Reporter:
              rkanter Robert Kanter
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: