> On April 26, 2016, 7:33 p.m., Yi Pan (Data Infrastructure) wrote: > > docs/learn/documentation/versioned/yarn/yarn-security.md, line 34 > > <https://reviews.apache.org/r/46282/diff/2/?file=1347140#file1347140line34> > > > > Question: wouldn't the running container needs a HDFS delegation token > > to access secured HDFS to read the credential files as well? How is the > > initial HDFS delegation token passed to the container? Via launch context > > from RM? It would be good to add some explanation, or pointing to some > > online docs for general YARN APP launch sequence w/ Kerberos. > > Chen Song wrote: > Yes, that is my understanding. Each container, once initialized, will use > whatever HDFS delegation token passed in the launch context. However, once it > expires, the container won't get renewed or refreshed token from RM and that > is why we need to manage renewal of HDFS delegation tokens ourselves. Same > rule applies to AM too. Let me summarize this a bit, and provide some > detailed explanations once confirm from the Hadoop community.
I summarized what we understood on Yarn when running long lived applications and posted on hadoop user list. Hopefully, someone will clarify and confirm our understanding is correct. http://mail-archives.apache.org/mod_mbox/hadoop-hdfs-user/201605.mbox/%3ccagf+3ryx_nqohkqa1ot+jmvnanahonefs8dzgjq8lmy7ygg...@mail.gmail.com%3E - Chen ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/46282/#review130660 ----------------------------------------------------------- On April 15, 2016, 10:09 p.m., Chen Song wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/46282/ > ----------------------------------------------------------- > > (Updated April 15, 2016, 10:09 p.m.) > > > Review request for samza. > > > Repository: samza > > > Description > ------- > > SAMZA-928 document Kerberos on YARN > > > Diffs > ----- > > docs/learn/documentation/versioned/jobs/yarn-jobs.md 827cc14 > docs/learn/documentation/versioned/yarn/isolation.md 1eb3bf5 > docs/learn/documentation/versioned/yarn/yarn-security.md PRE-CREATION > > Diff: https://reviews.apache.org/r/46282/diff/ > > > Testing > ------- > > > Thanks, > > Chen Song > >