[jira] [Commented] (YARN-11922) ResourceManager not update SecretManager keysize immediately if recovery is on

ASF GitHub Bot (Jira) Tue, 20 Jan 2026 13:01:52 -0800


    [ 
https://issues.apache.org/jira/browse/YARN-11922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18053156#comment-18053156
 ]


ASF GitHub Bot commented on YARN-11922:
---------------------------------------

hadoop-yetus commented on PR #8194:
URL: https://github.com/apache/hadoop/pull/8194#issuecomment-3774930487

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   0m 44s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | +1 :green_heart: |  test4tests  |   0m  0s |  |  The patch appears to 
include 3 new or modified test files.  |
   |||| _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |   9m 28s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  21m 18s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |   9m 13s |  |  trunk passed with JDK 
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |   9m 36s |  |  trunk passed with JDK 
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  checkstyle  |   1m 38s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |   1m 51s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   1m 30s |  |  trunk passed with JDK 
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   1m 28s |  |  trunk passed with JDK 
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  spotbugs  |   3m  1s |  |  trunk passed  |
   | +1 :green_heart: |  shadedclient  |  15m 33s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 17s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |   1m 16s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |   9m  5s |  |  the patch passed with JDK 
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |   9m  5s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |   9m 28s |  |  the patch passed with JDK 
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |   9m 28s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | -0 :warning: |  checkstyle  |   1m 36s | 
[/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8194/2/artifact/out/results-checkstyle-root.txt)
 |  root: The patch generated 1 new + 74 unchanged - 0 fixed = 75 total (was 
74)  |
   | +1 :green_heart: |  mvnsite  |   1m 51s |  |  the patch passed  |
   | +1 :green_heart: |  javadoc  |   1m 31s |  |  the patch passed with JDK 
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   1m 24s |  |  the patch passed with JDK 
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  spotbugs  |   3m 10s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  15m 41s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | +1 :green_heart: |  unit  |  16m 11s |  |  hadoop-common in the patch 
passed.  |
   | -1 :x: |  unit  |  88m 31s | 
[/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8194/2/artifact/out/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt)
 |  hadoop-yarn-server-resourcemanager in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   0m 40s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 228m 49s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.yarn.server.resourcemanager.TestRMHA |
   |   | hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesReservation 
|
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.52 ServerAPI=1.52 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8194/2/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/8194 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets |
   | uname | Linux a40680d8aa73 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 
20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / dbf4d494f7cffbee3d8da71f48c8a7b8483a71c9 |
   | Default Java | Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 
/usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8194/2/testReport/ |
   | Max. process+thread count | 1704 (vs. ulimit of 5500) |
   | modules | C: hadoop-common-project/hadoop-common 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
 U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8194/2/console |
   | versions | git=2.25.1 maven=3.9.11 spotbugs=4.9.7 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> ResourceManager not update SecretManager keysize immediately if recovery is on
> ------------------------------------------------------------------------------
>
>                 Key: YARN-11922
>                 URL: https://issues.apache.org/jira/browse/YARN-11922
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.5.0
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Minor
>              Labels: pull-request-available
>
> *Problem Statement:*
> I have a scenario where I need to migrate a YARN cluster to a FIPS 
> 140-3–compatible environment.
> For this, the AMRMTokenSecretManager must use secrets that are at least 112 
> bits long. By default, the secret length is 64 bits. When I modify the key 
> size and restart the cluster with recovery enabled, the state store reloads 
> the old secret, which has a default lifetime of 24 hours. As a result, even 
> though the cluster is configured to operate in FIPS 140-3–compatible mode, it 
> continues to use a non-compliant secret.
>  
> *Solution:*
> When the ResourceManager recovers, it should validate the secret size stored 
> in the state store. If the stored secret size differs from the configured 
> value, the secret should be forcibly regenerated and updated.
>  
> *Tested:*
> Through manual testing, I verified that HIVE applications can run 
> successfully both before and after the configuration change.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (YARN-11922) ResourceManager not update SecretManager keysize immediately if recovery is on

Reply via email to