[
https://issues.apache.org/jira/browse/HADOOP-13381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385145#comment-15385145
]
Arun Suresh commented on HADOOP-13381:
--------------------------------------
So... I was thinking we should do the following:
# Ensure the NM creates the DFSclient on boot up, so that the acutalUgi is the
yarn user
# Add a method in {{UserGroupInformation}} to remove credentials, so that you
can remove the KMS-DT from the actualUgi.
# After the token has expired and when we get an authorization exception, we,
in addition to flushing the authToken (line 592 in KMSClientProvider), we also
call the new method I mentioned in the previous point to remove the KMS-DT.
# Then, we let the retry happen, at which point it will get a new delegation
token.
makes sense ?
> KMS clients running in the same JVM should use updated KMS Delegation Token
> ---------------------------------------------------------------------------
>
> Key: HADOOP-13381
> URL: https://issues.apache.org/jira/browse/HADOOP-13381
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Critical
> Attachments: HADOOP-13381.01.patch
>
>
> When {{/tmp}} is setup as an EZ, one may experience YARN log aggregation
> failure after the very first KMS token is expired. The MR job itself runs
> fine though.
> When this happens, YARN NodeManager's log will show
> {{AuthenticationException}} with {{token is expired}} / {{token can't be
> found in cache}}, depending on whether the expired token is removed by the
> background or not.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
