[
https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiao Chen updated HADOOP-13251:
-------------------------------
Attachment: HADOOP-13251.01.patch
> DelegationTokenAuthenticationHandler should detect actual renewer when renew
> token
> ----------------------------------------------------------------------------------
>
> Key: HADOOP-13251
> URL: https://issues.apache.org/jira/browse/HADOOP-13251
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Attachments: HADOOP-13251.01.patch, HADOOP-13251.01.patch
>
>
> Turns out KMS delegation token renewal feature (HADOOP-13155) does not work
> well with client side impersonation.
> In a MR example, an end user (UGI:user) gets all kinds of DTs (with
> renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then
> renews these DTs as long as the MR jobs are running. But currently, the token
> is used at the kms server side to decide the renewer, in which case is always
> the token's owner. This ends up rejecting the renew request due to renewer
> mismatch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
