[jira] [Commented] (OOZIE-3035) HDFS HA and log aggregation: getting HDFS delegation token from YARN renewer within JavaActionExecutor

[Andras Piros (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OOZIE-3035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16143527#comment-16143527
 ] 

Andras Piros commented on OOZIE-3035:
-------------------------------------

Based on [~pbacsko]'s latest review comment:

{quote}I've taken a deeper look into {{submitLauncher()}}. It's a bit more 
complicated than I thought.

There is a property called {{oozie.credentials.skip}}. If that's set to true, 
then delegation tokens won't be fetched and no {{credPropertiesMap}} will be 
created. But in that case, HDFS tokens cannot be added either.

I assume that regardless of the {{oozie.credentials.skip}} property, we always 
have to add the HDFS token in a secure cluster to prevent lower-level issues 
but we can ask Robert about that.{quote}

[~rkanter] [~gezapeti] what is your opinion about [*using the 
{{oozie.credentials.skip}} 
property*|https://oozie.apache.org/docs/4.3.0/DG_ActionAuthentication.html#Workflow_Changes]
 on a secure environment? To me it seems also that we always have to acquire 
the HDFS delegation token in a secure env.

> HDFS HA and log aggregation: getting HDFS delegation token from YARN renewer 
> within JavaActionExecutor
> ------------------------------------------------------------------------------------------------------
>
>                 Key: OOZIE-3035
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3035
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: 4.3.0
>         Environment: * [*Hadoop 3 alpha 
> 4*|https://github.com/apache/hadoop/tree/branch-3.0.0-alpha4]
> * [*HDFS 
> HA*|https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithNFS.html]
> * log aggregation turned on
>            Reporter: Andras Piros
>            Assignee: Andras Piros
>             Fix For: 5.0.0
>
>         Attachments: OOZIE-3035.001.patch, OOZIE-3035.002.patch, 
> OOZIE-3035.003.patch
>
>
> In a secure environment, when both HDFS HA and log aggregation are turned on, 
> {{JavaActionExecutor}} is not able to call {{YarnClient#submitApplication}} 
> since {{HDFS_DELEGATION_TOKEN}} is missing.
> In those cases we need to get {{HDFS_DELEGATION_TOKEN}} from YARN:
> * get server principal / YARN renewer via 
> {{HadoopAccessorService#getServerPrincipal}}
> * get {{HDFS_DELEGATION_TOKEN}} via {{DFSClient#getDelegationToken}}
> * add {{HDFS_DELEGATION_TOKEN}} to {{Credentials}}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)