[ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15352933#comment-15352933 ]
Allen Wittenauer commented on HADOOP-13251: ------------------------------------------- What happens when an AltKerberos implementation is used? Has that been tested? > Authenticate with Kerberos credentials when renewing KMS delegation token > ------------------------------------------------------------------------- > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.8.0 > Reporter: Xiao Chen > Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, > HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, > HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.08.patch, > HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch, > HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work > well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with > renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then > renews these DTs as long as the MR jobs are running. But currently, the token > is used at the kms server side to decide the renewer, in which case is always > the token's owner. This ends up rejecting the renew request due to renewer > mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org