[jira] [Comment Edited] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer

Mon, 03 Nov 2014 12:05:39 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194982#comment-14194982
 ] 

Zhijie Shen edited comment on YARN-2798 at 11/3/14 8:03 PM:
------------------------------------------------------------

I don't have a quick setup for RM HA and secure cluster, but the mapping rule 
is applied every where in this cluster, I think it should work fine.

In fact, this issue is not HA related problem. However, in general, if we want 
the DT renew to work across RMs, we have to run these RMs as the same operating 
user name. Otherwise, if DT renewer is set to yarn of RM1, and RM2 is run by 
yarn'. RM2 can no longer renew the DT. This is not applied just to timeline DT, 
but all the DTs that we assign RM to renew. Correct me if I'm wrong.


was (Author: zjshen):
I don't have a quick setup for RM HA and secure cluster, but the mapping rule 
is applied every where in this cluster, I think it should work fine.

> YarnClient doesn't need to translate Kerberos name of timeline DT renewer
> -------------------------------------------------------------------------
>
>                 Key: YARN-2798
>                 URL: https://issues.apache.org/jira/browse/YARN-2798
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineserver
>            Reporter: Arpit Gupta
>            Assignee: Zhijie Shen
>            Priority: Blocker
>         Attachments: YARN-2798.1.patch, YARN-2798.2.patch
>
>
> Now YarnClient will automatically get a timeline DT when submitting an app in 
> a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get 
> the RM daemon operating system user. However, the RM principal and 
> auth_to_local may not be properly presented to the client, and the client 
> cannot translate the principal to the daemon user properly. On the other 
> hand, AbstractDelegationTokenIdentifier will do this translation when create 
> the token. However, since the client has already translated the full 
> principal into a short user name (which may not be correct), the server can 
> no longer apply the translation any more, where RM principal and 
> auth_to_local are always correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to