You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2016/03/25 11:52:25 UTC

[jira] [Created] (YARN-4877) Add a way to push out updated service tokens to containers

Steve Loughran created YARN-4877:
------------------------------------

             Summary: Add a way to push out updated service tokens to containers
                 Key: YARN-4877
                 URL: https://issues.apache.org/jira/browse/YARN-4877
             Project: Hadoop YARN
          Issue Type: Sub-task
    Affects Versions: 2.8.0
            Reporter: Steve Loughran


All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie. 

Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like

# AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ {{HADOOP_TOKEN_FILES_LOCATION}} and reload.
# YARN Client API extended to allow AM launch context credentials to be similarly updated



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)