[
https://issues.apache.org/jira/browse/SLIDER-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209808#comment-14209808
]
Jonathan Maron commented on SLIDER-633:
---------------------------------------
Still - it's unclear to me whether the merge of tokens is actually required to
be performed by Slider for these oozie/non-kerberos authenticated invocations.
To sum up the logic in the patch:
based on a flag (in this case the mapreduce token file flag, but appears that
it can be generalized to a boolean or authentication type check):
1) The code does not attempt to obtain the delegation tokens from the file
system (since there isn't a proper kerberos identity established)
2) The code then leverages the credentials (tokens) from the established login
user (apparently there is one established in an oozie invocation) for the
container launch context (rather than using the empty credentials - see point 1)
Indications are that this works for the scenario in question (any chance of
getting a test case we can use?), so I'm not clear on whether the TokenCache
merge is actually required...
> Slider should support invocation via Oozie
> ------------------------------------------
>
> Key: SLIDER-633
> URL: https://issues.apache.org/jira/browse/SLIDER-633
> Project: Slider
> Issue Type: Improvement
> Affects Versions: Slider 0.50
> Reporter: Lee Yang
> Attachments: fix_oozie_launch.patch
>
>
> In a secure Hadoop installation, when attempting to launch a slider
> application via an Oozie shell-action, I see the following exception:
> {noformat}
> Stdoutput org.apache.hadoop.ipc.RemoteException(java.io.IOException):
> Delegation Token can be issued only with kerberos or web authentication
> Stdoutput at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getDelegationToken(FSNamesystem.java:6757)
> Stdoutput at
> org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getDelegationToken(NameNodeRpcServer.java:499)
> Stdoutput at
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getDelegationToken(ClientNamenodeProtocolServerSideTranslatorPB.java:921)
> Stdoutput at
> org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
> Stdoutput at
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585)
> Stdoutput at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928)
> Stdoutput at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2013)
> Stdoutput at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2009)
> Stdoutput at java.security.AccessController.doPrivileged(Native Method)
> Stdoutput at javax.security.auth.Subject.doAs(Subject.java:415)
> Stdoutput at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1637)
> Stdoutput at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2007)
> Stdoutput
> Stdoutput at org.apache.hadoop.ipc.Client.call(Client.java:1411)
> Stdoutput at org.apache.hadoop.ipc.Client.call(Client.java:1364)
> Stdoutput at
> org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:206)
> Stdoutput at com.sun.proxy.$Proxy17.getDelegationToken(Unknown Source)
> Stdoutput at
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getDelegationToken(ClientNamenodeProtocolTranslatorPB.java:864)
> Stdoutput at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> Stdoutput at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> Stdoutput at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> Stdoutput at java.lang.reflect.Method.invoke(Method.java:601)
> Stdoutput at
> org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:187)
> Stdoutput at
> org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
> Stdoutput at com.sun.proxy.$Proxy18.getDelegationToken(Unknown Source)
> Stdoutput at
> org.apache.hadoop.hdfs.DFSClient.getDelegationToken(DFSClient.java:947)
> Stdoutput at
> org.apache.hadoop.hdfs.DistributedFileSystem.getDelegationToken(DistributedFileSystem.java:1305)
> Stdoutput at
> org.apache.hadoop.fs.FileSystem.collectDelegationTokens(FileSystem.java:527)
> Stdoutput at
> org.apache.hadoop.fs.FileSystem.addDelegationTokens(FileSystem.java:505)
> Stdoutput at
> org.apache.slider.core.launch.AppMasterLauncher.addSecurityTokens(AppMasterLauncher.java:209)
> Stdoutput at
> org.apache.slider.core.launch.AppMasterLauncher.completeAppMasterLaunch(AppMasterLauncher.java:183)
> Stdoutput at
> org.apache.slider.core.launch.AppMasterLauncher.submitApplication(AppMasterLauncher.java:214)
> Stdoutput at
> org.apache.slider.client.SliderClient.launchApplication(SliderClient.java:1127)
> Stdoutput at
> org.apache.slider.client.SliderClient.startCluster(SliderClient.java:771)
> Stdoutput at
> org.apache.slider.client.SliderClient.actionCreate(SliderClient.java:515)
> Stdoutput at
> org.apache.slider.client.SliderClient.runService(SliderClient.java:295)
> Stdoutput at
> org.apache.slider.core.main.ServiceLauncher.launchService(ServiceLauncher.java:186)
> Stdoutput at
> org.apache.slider.core.main.ServiceLauncher.launchServiceRobustly(ServiceLauncher.java:471)
> Stdoutput at
> org.apache.slider.core.main.ServiceLauncher.launchServiceAndExit(ServiceLauncher.java:401)
> Stdoutput at
> org.apache.slider.core.main.ServiceLauncher.serviceMain(ServiceLauncher.java:626)
> Stdoutput at org.apache.slider.Slider.main(Slider.java:49)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
