diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java index ad6477c..1358e00 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.io.InputStream; import java.net.InetSocketAddress; +import java.security.PrivilegedExceptionAction; import java.util.List; import java.util.concurrent.BlockingQueue; import java.util.concurrent.LinkedBlockingQueue; @@ -163,6 +164,8 @@ /** End of Active services */ private Configuration conf; + + private UserGroupInformation rmLoginUGI; public ResourceManager() { super("ResourceManager"); @@ -233,6 +236,8 @@ protected void serviceInit(Configuration conf) throws Exception { webAppAddress = WebAppUtils.getRMWebAppURLWithoutScheme(this.conf); + this.rmLoginUGI = UserGroupInformation.getCurrentUser(); + super.serviceInit(this.conf); } @@ -859,7 +864,18 @@ synchronized void transitionToActive() throws Exception { } LOG.info("Transitioning to active state"); - startActiveServices(); + + // use rmLoginUGI to startActiveServices. + // in non-secure model, rmLoginUGI will be current UGI + // in secure model, rmLoginUGI will be LoginUser UGI + this.rmLoginUGI.doAs(new PrivilegedExceptionAction() { + @Override + public Void run() throws Exception { + startActiveServices(); + return null; + } + }); + rmContext.setHAServiceState(HAServiceProtocol.HAServiceState.ACTIVE); LOG.info("Transitioned to active state"); } @@ -911,6 +927,11 @@ protected void doSecureLogin() throws IOException { InetSocketAddress socAddr = getBindAddress(conf); SecurityUtil.login(this.conf, YarnConfiguration.RM_KEYTAB, YarnConfiguration.RM_PRINCIPAL, socAddr.getHostName()); + + // if security is enable, set rmLoginUGI as UGI of loginUser + if (UserGroupInformation.isSecurityEnabled()) { + this.rmLoginUGI = UserGroupInformation.getLoginUser(); + } } @Override