Xiao Chen created HADOOP-13251:
----------------------------------
Summary: DelegationTokenAuthenticationHandler should detect actual
renewer when renew token
Key: HADOOP-13251
URL: https://issues.apache.org/jira/browse/HADOOP-13251
Project: Hadoop Common
Issue Type: Bug
Components: kms
Affects Versions: 2.8.0
Reporter: Xiao Chen
Assignee: Xiao Chen
Turns out KMS delegation token renewal feature (HADOOP-13155) does not work
well with client side impersonation.
In a MR example, an end user (UGI:user) gets all kinds of DTs (with
renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then
renews these DTs as long as the MR jobs are running. But currently, the token
is used at the kms server side to decide the renewer, in which case is always
the token's owner. This ends up rejecting the renew request due to renewer
mismatch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
