YARN-10816. Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple. Contributed by Tarun Parimi

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/client/api/impl/TimelineClientImpl.java

@@ -29,6 +29,7 @@ import org.apache.commons.cli.GnuParser;
 import org.apache.commons.cli.HelpFormatter;
 import org.apache.commons.cli.Options;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
@@ -88,6 +89,7 @@ public class TimelineClientImpl extends TimelineClient {
   private TimelineWriter timelineWriter;
 
   private String timelineServiceAddress;
+  private String authType;
 
   @Private
   @VisibleForTesting
@@ -128,6 +130,12 @@ public class TimelineClientImpl extends TimelineClient {
           conf.get(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS,
               YarnConfiguration.DEFAULT_TIMELINE_SERVICE_WEBAPP_ADDRESS);
     }
+
+    String defaultAuth = UserGroupInformation.isSecurityEnabled() ?
+        KerberosAuthenticationHandler.TYPE :
+        PseudoAuthenticationHandler.TYPE;
+    authType = conf.get(YarnConfiguration.TIMELINE_HTTP_AUTH_TYPE,
+        defaultAuth);
     LOG.info("Timeline service address: " + getTimelineServiceAddress());
     super.serviceInit(conf);
   }
@@ -193,6 +201,12 @@ public class TimelineClientImpl extends TimelineClient {
   @Override
   public Token<TimelineDelegationTokenIdentifier> getDelegationToken(
       final String renewer) throws IOException, YarnException {
+    if(authType.equals(PseudoAuthenticationHandler.TYPE)) {
+      LOG.info("Skipping get timeline delegation token since authType="
+          + PseudoAuthenticationHandler.TYPE);
+      // Null tokens are ignored by YarnClient so this is safe
+      return null;
+    }
     PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>
         getDTAction =
         new PrivilegedExceptionAction<Token<TimelineDelegationTokenIdentifier>>() {
@@ -219,6 +233,12 @@ public class TimelineClientImpl extends TimelineClient {
   public long renewDelegationToken(
       final Token<TimelineDelegationTokenIdentifier> timelineDT)
           throws IOException, YarnException {
+    if(authType.equals(PseudoAuthenticationHandler.TYPE)) {
+      LOG.info("Skipping renew timeline delegation token since authType="
+          + PseudoAuthenticationHandler.TYPE);
+      // RM will skip renew if expirytime less than 0
+      return -1;
+    }
     final boolean isTokenServiceAddrEmpty =
         timelineDT.getService().toString().isEmpty();
     final String scheme = isTokenServiceAddrEmpty ? null
@@ -257,6 +277,11 @@ public class TimelineClientImpl extends TimelineClient {
   public void cancelDelegationToken(
       final Token<TimelineDelegationTokenIdentifier> timelineDT)
       throws IOException, YarnException {
+    if(authType.equals(PseudoAuthenticationHandler.TYPE)) {
+      LOG.info("Skipping cancel timeline delegation token since authType="
+          + PseudoAuthenticationHandler.TYPE);
+      return;
+    }
     final boolean isTokenServiceAddrEmpty =
         timelineDT.getService().toString().isEmpty();
     final String scheme = isTokenServiceAddrEmpty ? null

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestTimelineClient.java

@@ -22,6 +22,7 @@ import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.verify;
@@ -316,6 +317,44 @@ public class TestTimelineClient {
     }
   }
 
+  /**
+   * Test actual delegation token operations are not carried out when
+   * simple auth is configured for timeline.
+   * @throws Exception
+   */
+  @Test
+  public void testDelegationTokenDisabledOnSimpleAuth() throws Exception {
+    YarnConfiguration conf = new YarnConfiguration();
+    conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
+    conf.set(YarnConfiguration.TIMELINE_HTTP_AUTH_TYPE, "simple");
+    UserGroupInformation.setConfiguration(conf);
+
+    TimelineClientImpl tClient = createTimelineClient(conf);
+    TimelineConnector spyConnector = spy(tClient.connector);
+    tClient.connector = spyConnector;
+    try {
+      // try getting a delegation token
+      Token<TimelineDelegationTokenIdentifier> identifierToken =
+          tClient.getDelegationToken(
+          UserGroupInformation.getCurrentUser().getShortUserName());
+      // Get a null token when using simple auth
+      Assert.assertNull(identifierToken);
+
+      // try renew a delegation token
+      Token<TimelineDelegationTokenIdentifier> dummyToken = new Token<>();
+      long renewTime = tClient.renewDelegationToken(dummyToken);
+      // Get invalid expiration time so that RM skips renewal
+      Assert.assertEquals(renewTime, -1);
+
+      // try cancel a delegation token
+      tClient.cancelDelegationToken(dummyToken);
+      // Shouldn't try to cancel and connect to authURL
+      verify(spyConnector, never()).getDelegationTokenAuthenticatedURL();
+    } finally {
+      tClient.stop();
+    }
+  }
+
   private static void assertFail() {
     Assert.fail("Exception expected! "
         + "Timeline server should be off to run this test.");