-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FLINK-31162][yarn] Use currUsr.getCredentials.getTokens instead of currUsr.getTokens #21985
Conversation
…ntials to avoid including private tokens in AM container context
Please take a look. cc @gaborgsomogyi @MartijnVisser @becketqin |
Re title: You mean 'Use currUsr.getCredentials().getAllTokens() instead of currUsr.getTokens() to avoid including private tokens' ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change looks good to me. Not sure how testable this is ...
Oh. Yes. Thanks for pointing out. |
Yeah not sure how we can add either unit tests or integration tests. |
@venkata91 This PR should first be targeted towards |
@MartijnVisser The issue here is different and is only specific to |
So this issue only occurs in 1.16 and not in 1.17 and later? Then we're good yes :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for fixing it.
There is some what a bigger issue in 1.17 which I am looking at as part of https://issues.apache.org/jira/browse/FLINK-31109 and address this smaller issue as well as part of it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
... to avoid including private tokens in AM container context
What is the purpose of the change
Avoid setting private tokens to AM container context when kerberos delegation token fetch is disabled and DTs are managed.
Brief change log
Currently while setting user credentials to the AM container context,
ugi.getTokens()
is used which also returns the private tokens along with UGI tokens. But it should not be passed to the AM container context. This causes the launch of YARN RM app to fail in some cases for example when Consistent Reads from HDFS Observer NameNode feature is enabled.Instead, change it to
ugi.getCredentials().getAllTokens()
to only get user credentials tokens. Spark uses similar way of setting the user credentials to AM container context as well.Verifying this change
Tested this changed internally in our environment as this requires a managed way of Delegation token fetch. Also tested enabling kerberos delegation token fetch feature to make sure it doesn't regress.
Does this pull request potentially affect one of the following parts:
@Public(Evolving)
: (yes / no)Documentation