You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2016/03/25 11:52:25 UTC
[jira] [Created] (YARN-4877) Add a way to push out updated service
tokens to containers
Steve Loughran created YARN-4877:
------------------------------------
Summary: Add a way to push out updated service tokens to containers
Key: YARN-4877
URL: https://issues.apache.org/jira/browse/YARN-4877
Project: Hadoop YARN
Issue Type: Sub-task
Affects Versions: 2.8.0
Reporter: Steve Loughran
All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie.
Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like
# AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ {{HADOOP_TOKEN_FILES_LOCATION}} and reload.
# YARN Client API extended to allow AM launch context credentials to be similarly updated
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)