[jira] [Commented] (YARN-9708) Yarn Router Support DelegationToken

Wed, 15 Feb 2023 04:40:07 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-9708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17689098#comment-17689098
 ] 

Krishan Goyal commented on YARN-9708:
-------------------------------------

[~slfan1989] how is client delegation token supported behind multiple router 
instances for clients using RPC ? 

I believe delegation token validation happens during RPC connection. 

If router instances are behind a load balancer, there is no direct RPC 
connection from client to Router right ? 

> Yarn Router Support DelegationToken
> -----------------------------------
>
>                 Key: YARN-9708
>                 URL: https://issues.apache.org/jira/browse/YARN-9708
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: router
>    Affects Versions: 3.4.0
>            Reporter: Xie YiFan
>            Assignee: Shilun Fan
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: Add_getDelegationToken_and_SecureLogin_in_router.patch, 
> RMDelegationTokenSecretManager_storeNewMasterKey.svg, 
> RouterDelegationTokenSecretManager_storeNewMasterKey.svg
>
>
> 1.we use router as proxy to manage multiple cluster which be independent of 
> each other in order to apply unified client. Thus, we implement our 
> customized AMRMProxyPolicy that doesn't broadcast ResourceRequest to other 
> cluster.
> 2.Our production environment need kerberos. But router doesn't support 
> SecureLogin for now.
> https://issues.apache.org/jira/browse/YARN-6539 desn't work. So we 
> improvement it.
> 3.Some framework like oozie would get Token via yarnclient#getDelegationToken 
> which router doesn't support. Our solution is that adding homeCluster to 
> ApplicationSubmissionContextProto & GetDelegationTokenRequestProto. Job would 
> be submitted with specified clusterid so that router knows which cluster to 
> submit this job. Router would get Token from one RM according to specified 
> clusterid when client call getDelegation meanwhile apply some mechanism to 
> save this token in memory.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to