[ https://issues.apache.org/jira/browse/YARN-6602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450760#comment-16450760 ]
Hudson commented on YARN-6602: ------------------------------ SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14057 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14057/]) YARN-6602. Impersonation does not work if standby RM is contacted first (xyao: rev faf36776c73997185e8a048e39366e4519639d95) * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/ClientRMProxy.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/RequestHedgingRMFailoverProxyProvider.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/ConfiguredRMFailoverProxyProvider.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/RMProxy.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/TestClientRMProxy.java * (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/api/ServerRMProxy.java > Impersonation does not work if standby RM is contacted first > ------------------------------------------------------------ > > Key: YARN-6602 > URL: https://issues.apache.org/jira/browse/YARN-6602 > Project: Hadoop YARN > Issue Type: Bug > Components: client > Affects Versions: 3.0.0-alpha4 > Reporter: Robert Kanter > Assignee: Robert Kanter > Priority: Blocker > Fix For: 2.9.0, 3.0.0-alpha4 > > Attachments: YARN-6602.001.patch, YARN-6602.002.patch > > > When RM HA is enabled, impersonation does not work correctly if the Yarn > Client connects to the standby RM first. When this happens, the > impersonation is "lost" and the client does things on behalf of the > impersonator user. We saw this with the OOZIE-1770 Oozie on Yarn feature. > I need to investigate this some more, but it appears to be related to > delegation tokens. When this issue occurs, the tokens have the owner as > "oozie" instead of the actual user. On a hunch, we found a workaround that > explicitly adding a correct RM HA delegation token fixes the problem: > {code:java} > org.apache.hadoop.yarn.api.records.Token token = > yarnClient.getRMDelegationToken(ClientRMProxy.getRMDelegationTokenService(conf)); > org.apache.hadoop.security.token.Token token2 = new > org.apache.hadoop.security.token.Token(token.getIdentifier().array(), > token.getPassword().array(), new Text(token.getKind()), new > Text(token.getService())); > UserGroupInformation.getCurrentUser().addToken(token2); > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org