I've noticed that if I add an auth_to_local rule that forces all 2-part
principals that don't originate from one of my hosts to nobody, things
break. Specifically, many non-MR YARN apps break. The reason MR doesn't
break is that MR knows to replace the _HOST string in the RM_PRINCIPAL
property's value with the local host name. Many YARN app authors don't
realize they need to do that, probably because the canonical distributed
shell app also fails to do it and hence fails in my cluster. Instead of
trying to fix the rest of the world, including a ton a 3rd-party apps, I
think it makes more sense to build that translation into the
FileSystem.addDelegationTokens() method. I would like to make the
following change in FileSystem.addDelegationTokens():
@InterfaceAudience.LimitedPrivate({ "HDFS", "MapReduce" })
public Token<?>[] addDelegationTokens(
final String renewer, Credentials credentials) throws IOException {
if (credentials == null) {
credentials = new Credentials();
}
final List<Token<?>> tokens = new ArrayList<Token<?>>();
- collectDelegationTokens(renewer, credentials, tokens);
+ collectDelegationTokens(SecurityUtil.getServerPrincipal(renewer,
InetAddress.getLocalhost().getHostname()), credentials, tokens);
return tokens.toArray(new Token<?>[tokens.size()]);
}
more or less. Obviously there's an exception and other details that
need to be handled, but that's the main idea. Any comments on the change?
I thought I saw a JIRA that proposed doing something similar, but I
can't find it now. If nobody cries foul or points me to prior art, I'll
file a new JIRA and post a patch.
Thanks,
Daniel
