YARN-5353. ResourceManager can leak delegation tokens when they are shared across apps. (Jason Lowe via Varun Saxena).

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.java

@@ -773,7 +773,7 @@ public class DelegationTokenRenewer extends AbstractService {
 
   private void removeApplicationFromRenewal(ApplicationId applicationId) {
     rmContext.getSystemCredentialsForApps().remove(applicationId);
-    Set<DelegationTokenToRenew> tokens = appTokens.get(applicationId);
+    Set<DelegationTokenToRenew> tokens = appTokens.remove(applicationId);
 
     if (tokens != null && !tokens.isEmpty()) {
       synchronized (tokens) {
@@ -798,15 +798,10 @@ public class DelegationTokenRenewer extends AbstractService {
           // cancel the token
           cancelToken(dttr);
 
-          it.remove();
           allTokens.remove(dttr.token);
         }
       }
     }
-
-    if(tokens != null && tokens.isEmpty()) {
-      appTokens.remove(applicationId);
-    }
   }
 
   /**

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/security/TestDelegationTokenRenewer.java

@@ -1254,6 +1254,9 @@ public class TestDelegationTokenRenewer {
     Assert.assertTrue(dttr.referringAppIds.isEmpty());
     Assert.assertTrue(dttr.isTimerCancelled());
     Assert.assertTrue(Renewer.cancelled);
+
+    // make sure the token also has been removed from appTokens
+    Assert.assertFalse(renewer.getDelegationTokens().contains(token1));
   }
 
 }