[YARN-9510] Proxyuser access timeline and getdelegationtoken failed without Timeline server restart - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Patch Available
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.1.0
Fix Version/s: None
Component/s: timelineserver
Labels:
None

Description

We add a proxyuser by changing "hadoop.proxyuser.xx.yy",if without restart timeline server.YARN job will fail and throws :

Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: http://hostname:8188/ws/v1/timeline/?op=GETDELEGATIONTOKEN&doAs=alluxio&renewer=rm%2Fhc1%40XXF&user.name=ambari-qa, status: 403, message: Forbidden
	at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:401)
	at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:74)
	at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:147)
	at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:213)

Seems that proxyuser info in timeline server has not been refreshed.
In production cluster, we sometimes add a new proxy user during runtime, and expect that impersonation takes effect after execute a command like "...refreshSuperUserGroupsConfiguration", without restart timeline.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-9510_1.patch
30/Apr/19 01:42
17 kB
Shen Yinjie

Activity

People

Assignee:: Shen Yinjie

Reporter:: Shen Yinjie

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/Apr/19 08:32

Updated:: 30/Apr/19 03:56