diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java index 1193cb4..cd456de 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java @@ -37,6 +37,7 @@ import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.HadoopKerberosName; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.yarn.api.ApplicationClientProtocol; @@ -124,6 +125,7 @@ protected TimelineClient timelineClient; @VisibleForTesting Text timelineService; + private String timelineHost; protected boolean timelineServiceEnabled; private static final String ROOT = "root"; @@ -161,6 +163,7 @@ protected void serviceInit(Configuration conf) throws Exception { timelineServiceEnabled = true; timelineClient = TimelineClient.createTimelineClient(); timelineClient.init(conf); + timelineHost = TimelineUtils.getTimelineTokenServiceAddress(conf).getHostName(); timelineService = TimelineUtils.buildTimelineTokenService(conf); } super.serviceInit(conf); @@ -320,14 +323,20 @@ private void addTimelineDelegationToken( @VisibleForTesting org.apache.hadoop.security.token.Token getTimelineDelegationToken() throws IOException, YarnException { + return timelineClient.getDelegationToken( + getTimelineDelegationTokenRenewer()); + } + + @VisibleForTesting + String getTimelineDelegationTokenRenewer() + throws IOException, YarnException { // Parse the RM daemon user if it exists in the config String rmPrincipal = getConfig().get(YarnConfiguration.RM_PRINCIPAL); String renewer = null; - if (rmPrincipal != null && rmPrincipal.length() > 0) { - HadoopKerberosName renewerKrbName = new HadoopKerberosName(rmPrincipal); - renewer = renewerKrbName.getShortName(); + if (rmPrincipal != null) { + renewer = SecurityUtil.getServerPrincipal(rmPrincipal, timelineHost); } - return timelineClient.getDelegationToken(renewer); + return renewer; } @Private diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java index d7bea7a..1ed4151 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java @@ -852,7 +852,26 @@ public boolean isSecurityEnabled() { client.stop(); } } - + + @Test + public void testParseTimelineDelegationTokenRenewer() throws Exception { + // Client side + YarnClientImpl client = (YarnClientImpl) YarnClient.createYarnClient(); + Configuration conf = new YarnConfiguration(); + conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true); + conf.set(YarnConfiguration.RM_PRINCIPAL, "rm/_HOST@EXAMPLE.COM"); + conf.set( + YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS, "localhost:8188"); + try { + client.init(conf); + client.start(); + String renewer = client.getTimelineDelegationTokenRenewer(); + Assert.assertEquals("rm/localhost@EXAMPLE.COM", renewer); + } finally { + client.stop(); + } + } + @Test public void testReservationAPIs() { // initialize diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java index 2052c23..a299252 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java @@ -19,14 +19,18 @@ import java.io.IOException; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.io.DataInputBuffer; import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.HadoopKerberosName; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.Priority; import org.apache.hadoop.yarn.api.records.Resource; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier; @@ -299,4 +303,19 @@ public void testTimelineDelegationTokenIdentifier() throws IOException { anotherToken.getMasterKeyId(), masterKeyId); } + @Test + public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException { + // Server side when generation a timeline DT + Configuration conf = new YarnConfiguration(); + conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL, + "RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/"); + HadoopKerberosName.setConfiguration(conf); + Text owner = new Text("owner"); + Text renewer = new Text("rm/localhost@EXAMPLE.COM"); + Text realUser = new Text("realUser"); + TimelineDelegationTokenIdentifier token = + new TimelineDelegationTokenIdentifier(owner, renewer, realUser); + Assert.assertEquals(new Text("yarn"), token.getRenewer()); + } + }