[jira] [Commented] (YARN-4126) RM should not issue delegation tokens in unsecure mode

Fri, 09 Dec 2016 17:47:12 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-4126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15736967#comment-15736967
 ] 

Jian He commented on YARN-4126:
-------------------------------

bq. Assuming that Oozie wants to keep supporting 2.x releases there must be an 
Oozie side fix,
IIUC, since this is already reverted from branch-2, Oozie no longer requires a 
fix to support 2.x release.

To support 3.x which has this change. Oozie needs to have a fix.

My point is that the old behavior is a bug -- ( the logic is not matching its 
exception).  Exception says delegationToken can only be done in kerberos env, 
but the logic returns true if it is unsecure env.  -- Isn't this 
self-conflicting ? 
{code}
      if (!isAllowedDelegationTokenOp()) {
        throw new IOException(
            "Delegation Token can be cancelled only with kerberos 
authentication");
      }
{code} 
My preference is to keep this in 3.x so that future apps on YARN are not 
repeating the same mistake as Ozzie, and Ozzie should fix this to support 3.x 
line
On the other hand, if other folks think it's more important to keep it 
compatible and with minimal surprise for 3.x, I'm also ok to revert it.

> RM should not issue delegation tokens in unsecure mode
> ------------------------------------------------------
>
>                 Key: YARN-4126
>                 URL: https://issues.apache.org/jira/browse/YARN-4126
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Bibin A Chundatt
>             Fix For: 3.0.0-alpha1
>
>         Attachments: 0001-YARN-4126.patch, 0002-YARN-4126.patch, 
> 0003-YARN-4126.patch, 0004-YARN-4126.patch, 0005-YARN-4126.patch, 
> 0006-YARN-4126.patch
>
>
> ClientRMService#getDelegationToken is currently  returning a delegation token 
> in insecure mode. We should not return the token if it's in insecure mode. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to