You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@samza.apache.org by "Jakob Homan (JIRA)" <ji...@apache.org> on 2013/08/17 06:46:47 UTC

[jira] [Commented] (SAMZA-19) Secure YARN AM

    [ https://issues.apache.org/jira/browse/SAMZA-19?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13742836#comment-13742836 ] 

Jakob Homan commented on SAMZA-19:
----------------------------------

bq. We should secure the AM dashboard using Hadoop's security mechanism (a SPNEGO servlet filter, I believe).
Hadoop has a pluggable interface for securing its web pages and ships with a SPENGO filter that implements that interface.  It's pluggable to allow other orgs to use their own SSO solutions.  SPNEGO is just the web version of Kerberos (that's 99% true...) and is standard for connecting in Kerberized environments.

bq. Jakob Homan Any feedback on the best approach here? Does SPNEGO filter seem sane? What's the pattern for RPC?
SPNEGO is fine for the web servlets.  At the RPC level, Kerberos is used at the socket level via GSSAPI.  Since we're running within YARN, it'd be good to base any security on Kerberos/GSSAPI. 

bq. I'm assuming MapReduce is using the same RPC as YARN, and get security at the RPC level for free.
It's the other way around (historically), but yeah.  Need to take a deeper look into the YARN security.  
                
> Secure YARN AM
> --------------
>
>                 Key: SAMZA-19
>                 URL: https://issues.apache.org/jira/browse/SAMZA-19
>             Project: Samza
>          Issue Type: Bug
>            Reporter: Chris Riccomini
>
> Samza's YARN AM starts a Jetty servlet container that runs a Scalatra/SCAML dashboard server for the Sama job, and a HTTP-RESTish RPC server on two different ports.
> We should secure the AM dashboard using Hadoop's security mechanism (a SPNEGO servlet filter, I believe).
> Need to investigate what to do regarding the RPC server.
> [~jakobhoman] Any feedback on the best approach here? Does SPNEGO filter seem sane? What's the pattern for RPC?
> I'm assuming MapReduce is using the same RPC as YARN, and get security at the RPC level for free.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira