diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index cce0fe5..02c6a5f 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -1100,7 +1100,7 @@ private boolean isAllowedDelegationTokenOp() throws IOException { .contains(UserGroupInformation.getCurrentUser() .getRealAuthenticationMethod()); } else { - return true; + return false; } } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java index 6a0b99c..6c1e2a9 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java @@ -746,6 +746,21 @@ public Void run() throws Exception { } @Test + public void testTokenNonSecureuser() throws Exception { + RMContext rmContext = mock(RMContext.class); + ClientRMService rmService = + new ClientRMService(rmContext, null, null, null, null, dtsm); + try { + rmService.getDelegationToken(null); + Assert.fail("Expecting IOException but its failing"); + } catch (Exception e) { + Assert.assertTrue(e.getMessage().contains( + "Delegation Token can be issued only with kerberos authentication")); + } + rmService.close(); + } + + @Test public void testTokenCancellationByWrongUser() { // two sets to test - // 1. try to cancel tokens of short and kerberos users as a kerberos UGI