diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java index dfcceb8..7e7018f 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java @@ -52,6 +52,7 @@ import org.apache.hadoop.io.Text; import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.token.SecretManager.InvalidToken; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier; import org.apache.hadoop.service.AbstractService; @@ -433,17 +434,24 @@ private void handleAppSubmitEvent(DelegationTokenRenewerAppSubmitEvent evt) } if (!tokenList.isEmpty()) { - // Renewing token and adding it to timer calls are separated purposefully - // If user provides incorrect token then it should not be added for - // renewal. + // Renewing token and adding it to timer calls are separated + // purposefully to avoid scheduling invalid tokens. for (DelegationTokenToRenew dtr : tokenList) { try { + // If user provides incorrect token then it should not + // be added for renewal. renewToken(dtr); + } catch (InvalidToken ivte) { + // This exception is typically thrown for genuinely bad tokens + // such as cancelled ones, which we cannot run the job with, + // so fail out. + throw new IOException("Failed to renew token: " + dtr.token, ivte); } catch (IOException ioe) { - throw new IOException("Failed to renew token: " + dtr.token, ioe); + LOG.warn("Failed to renew token: " + dtr.token + + ". Skipping future renewal scheduling.", ioe); + continue; } - } - for (DelegationTokenToRenew dtr : tokenList) { + // Schedule token for future, automatic renewals appTokens.get(applicationId).add(dtr); allTokens.put(dtr.token, dtr); setTimerForTokenRenewal(dtr); diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java index 5d31404..ae6ea8d 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java @@ -709,7 +709,7 @@ public void testDTRonAppSubmission() final Credentials credsx = new Credentials(); final Token tokenx = mock(Token.class); when(tokenx.getKind()).thenReturn(new Text("HDFS_DELEGATION_TOKEN")); - DelegationTokenIdentifier dtId1 = + DelegationTokenIdentifier dtId1 = new DelegationTokenIdentifier(new Text("user1"), new Text("renewer"), new Text("user1")); when(tokenx.decodeIdentifier()).thenReturn(dtId1); @@ -735,10 +735,10 @@ public void testDTRonAppSubmission() try { dtr.addApplicationSync(mock(ApplicationId.class), credsx, false, "user"); - fail("Catch IOException on app submission"); - } catch (IOException e){ - Assert.assertTrue(e.getMessage().contains(tokenx.toString())); - Assert.assertTrue(e.getCause().toString().contains("boom")); + Assert.assertEquals("Bad token shouldn't be added in for renewals", 0, dtr.getDelegationTokens().size()); + } catch (IOException e) { + fail("Submission should not fail over a non-renewable but valid token. " + + "IOE received: " + e); } }