[
https://issues.apache.org/jira/browse/YARN-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14295574#comment-14295574
]
Jian He commented on YARN-3103:
-------------------------------
bq. Then the client can fixup the token service name after it's been stored in
the credentials, just like it does during AM startup.
Good point. or we can loop the existing tokens in UGI and select out the
AMRMToken based on token kind and set the token service name.
Or another way is to fix AM startup to inject the correct AMRMToken service
name instead of empty string. Each way looks fine to me.
Currently, AMRMToken service name is reset on AM side with a concatenated
string of multiple RM addresses; If we do above, then we don't need the cluster
ID?
> AMRMClientImpl does not update AMRM token properly
> --------------------------------------------------
>
> Key: YARN-3103
> URL: https://issues.apache.org/jira/browse/YARN-3103
> Project: Hadoop YARN
> Issue Type: Bug
> Components: client
> Affects Versions: 2.6.0
> Reporter: Jason Lowe
> Assignee: Jason Lowe
> Priority: Blocker
>
> AMRMClientImpl.updateAMRMToken updates the token service _before_ storing it
> to the credentials, so the token is mapped using the newly updated service
> rather than the empty service that was used when the RM created the original
> AMRM token. This leads to two AMRM tokens in the credentials and can still
> fail if the AMRMTokenSelector picks the wrong one.
> In addition the AMRMClientImpl grabs the login user rather than the current
> user when security is enabled, so it's likely the UGI being updated is not
> the UGI that will be used when reconnecting to the RM.
> The end result is that AMs can fail with invalid token errors when trying to
> reconnect to an RM after a new AMRM secret has been activated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
