Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-9510

Proxyuser access timeline and getdelegationtoken failed without Timeline server restart

    Details

    • Type: Improvement
    • Status: Patch Available
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.0
    • Fix Version/s: None
    • Component/s: timelineserver
    • Labels:
      None

      Description

      We add a proxyuser by changing "hadoop.proxyuser.xx.yy",if without restart timeline server.YARN job will fail and throws :

      Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: http://hostname:8188/ws/v1/timeline/?op=GETDELEGATIONTOKEN&doAs=alluxio&renewer=rm%2Fhc1%40XXF&user.name=ambari-qa, status: 403, message: Forbidden
      	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:401)
      	at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:74)
      	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:147)
      	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:213)
      

      Seems that proxyuser info in timeline server has not been refreshed.
      In production cluster, we sometimes add a new proxy user during runtime, and expect that impersonation takes effect after execute a command like "...refreshSuperUserGroupsConfiguration", without restart timeline.

        Attachments

          Activity

            People

            • Assignee:
              shenyinjie Shen Yinjie
              Reporter:
              shenyinjie Shen Yinjie
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: