[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466369#comment-16466369 ] Xiao Chen commented on HADOOP-15390: Just found out this was missing from branch-2, cherry-picked there. > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Fix For: 2.10.0, 2.8.4, 3.2.0, 3.1.1, 2.9.2, 3.0.3 > > Attachments: HADOOP-15390.01.patch, HADOOP-15390.02.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16449044#comment-16449044 ] Xiao Chen commented on HADOOP-15390: Thanks a lot Robert! Cherry-picked to branch-2.8 too. There were some trivial conflict in TestDelegationTokenRenewer because some tests were not in branch-2.8. Manually resolved it and {{mvn test}}'ed that class locally before pushing. > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Fix For: 3.2.0, 3.1.1, 2.9.2, 3.0.3 > > Attachments: HADOOP-15390.01.patch, HADOOP-15390.02.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16448989#comment-16448989 ] Hudson commented on HADOOP-15390: - FAILURE: Integrated in Jenkins build Hadoop-trunk-Commit #14051 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14051/]) HADOOP-15390. Yarn RM logs flooded by DelegationTokenRenewer trying to (rkanter: rev 7ab08a9c37a76edbe02d556fcfb2e637f45afc21) * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java * (edit) hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSTokenRenewer.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HADOOP-15390.01.patch, HADOOP-15390.02.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16448945#comment-16448945 ] Robert Kanter commented on HADOOP-15390: +1 LGTM > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HADOOP-15390.01.patch, HADOOP-15390.02.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444943#comment-16444943 ] genericqa commented on HADOOP-15390: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 16s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 40s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m 47s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 28s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 18s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 17s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 16m 37s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 0s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 30s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 30m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 30m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 30s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 11m 6s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 58s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 41s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 40s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 66m 7s{color} | {color:red} hadoop-yarn-server-resourcemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 38s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}213m 47s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.resourcemanager.scheduler.capacity.TestIncreaseAllocationExpirer | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:8620d2b | | JIRA Issue | HADOOP-15390 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12919702/HADOOP-15390.02.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 4f6f02c0089b 3.13.0-139-generic #188-Ubuntu SMP Tue Jan 9 14:43:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 7d06806 | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_162 | | findbugs | v3.1.0-RC1 | | un
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444663#comment-16444663 ] Xiao Chen commented on HADOOP-15390: Added links. mvninstall doesn't look related. Kicked a new run at https://builds.apache.org/job/PreCommit-HADOOP-Build/14505/ > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Critical > Attachments: HADOOP-15390.01.patch, HADOOP-15390.02.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16443482#comment-16443482 ] genericqa commented on HADOOP-15390: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 21s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 27s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 25m 13s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m 48s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m 20s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 19s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 17m 20s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 44s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 28s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 24s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:red}-1{color} | {color:red} mvninstall {color} | {color:red} 0m 41s{color} | {color:red} hadoop-yarn-server-resourcemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 26m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 26m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 10s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 10s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 0s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 27s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 9m 8s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 67m 21s{color} | {color:green} hadoop-yarn-server-resourcemanager in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 40s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}202m 55s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:8620d2b | | JIRA Issue | HADOOP-15390 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12919702/HADOOP-15390.02.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux ac0de2cfc4bc 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bf7694d | | maven | version: Apache Maven 3.3.9 | | Default Java | 1.8.0_162 | | findbugs | v3.1.0-RC1 | | mvninstall | https://builds.apache.org/job/PreCommit-HADOOP-Build/14502/artifact/out/patch-mvninsta
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16443316#comment-16443316 ] Xiao Chen commented on HADOOP-15390: Thanks for the review Robert. bq. 1 Put all details into the exception. Removed the logging part as that's not necessary anymore. bq. 2 That's "Added a dummy line in TestKMS for pre-commit coverage.", because I want hadoop-kms tests to be ran here. Above pre-commit gave a green, so removed it in this patch. :) > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Major > Attachments: HADOOP-15390.01.patch, HADOOP-15390.02.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16443228#comment-16443228 ] Robert Kanter commented on HADOOP-15390: Thanks for the patch [~xiaochen]. Two things: # When throwing the {{IOException}}, why not also include the token details in the message? The patch is currently only logging that part. # Adding the "// test" command to {{TestKMS}} seems unnecessary? > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Major > Attachments: HADOOP-15390.01.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16440376#comment-16440376 ] Xiao Chen commented on HADOOP-15390: Failed test doesn't look related and passed locally > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Major > Attachments: HADOOP-15390.01.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16440223#comment-16440223 ] genericqa commented on HADOOP-15390: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 31s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} trunk Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 20s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 26m 42s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m 50s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 14s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 40s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 16m 52s{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 35s{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 1s{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 18s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 55s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 28m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 28m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 2m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 10m 21s{color} | {color:green} patch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 59s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 1s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 8m 27s{color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 36s{color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 80m 42s{color} | {color:red} hadoop-yarn-server-resourcemanager in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 39s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}229m 1s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.yarn.server.resourcemanager.recovery.TestZKRMStateStore | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:8620d2b | | JIRA Issue | HADOOP-15390 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12919282/HADOOP-15390.01.patch | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 36aeb5e6b71b 3.13.0-143-generic #192-Ubuntu SMP Tue Feb 27 10:45:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/patchprocess/precommit/personality/provided.sh | | git revis
[jira] [Commented] (HADOOP-15390) Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens
[ https://issues.apache.org/jira/browse/HADOOP-15390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16439992#comment-16439992 ] Xiao Chen commented on HADOOP-15390: Patch 1 does the 2 changes described. Added a dummy line in TestKMS for pre-commit coverage. > Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens > - > > Key: HADOOP-15390 > URL: https://issues.apache.org/jira/browse/HADOOP-15390 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Major > Attachments: HADOOP-15390.01.patch > > > When looking at a recent issue with [~rkanter] and [~yufeigu], we found that > the RM log in a cluster was flooded by KMS token renewal errors below: > {noformat} > $ tail -9 hadoop-cmf-yarn-RESOURCEMANAGER.log > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > ... > 2018-04-11 11:34:09,367 WARN > org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer: > keyProvider null cannot renew dt. > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renewed delegation-token= [Kind: kms-dt, Service: KMSIP:16000, Ident: > (kms-dt owner=user, renewer=yarn, realUser=, issueDate=1522192283334, > maxDate=1522797083334, sequenceNumber=15108613, masterKeyId=2674);exp=0; > apps=[]], for [] > 2018-04-11 11:34:09,367 INFO > org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer: > Renew Kind: kms-dt, Service: KMSIP:16000, Ident: (kms-dt owner=user, > renewer=yarn, realUser=, issueDate=1522192283334, maxDate=1522797083334, > sequenceNumber=15108613, masterKeyId=2674);exp=0; apps=[] in -1523446449367 > ms, appId = [] > {noformat} > Further inspection shows the KMS IP is from another cluster. The RM is before > HADOOP-14445, so needs to read from config. The config rightfully doesn't > have the other cluster's KMS configured. > Although HADOOP-14445 will make this a non-issue by creating the provider > from token service, we should fix 2 things here: > - KMS token renewer should throw instead of return 0. Returning 0 when not > able to renew shall be considered a bug in the renewer. > - Yarn RM's {{DelegationTokenRenewer}} service should validate the return and > not go into this busy loop. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org