You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Jian He (JIRA)" <ji...@apache.org> on 2017/12/02 06:31:00 UTC
[jira] [Comment Edited] (YARN-6669) Support security for YARN
service framework
[ https://issues.apache.org/jira/browse/YARN-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16275442#comment-16275442 ]
Jian He edited comment on YARN-6669 at 12/2/17 6:30 AM:
--------------------------------------------------------
Thanks Eric for help debugging. You are right, it is because the spark-demo@EXAMPLE.COM got translated to spark instead of spark-demo by the auth_to_local config. Therefore, spark user got set in the znode ACL, instead of spark-demo. That caused it to fail.
And you were alsoright, I should just take the first section of the principal (NOT the translated short user name) for setting the znode acls. Because zookeeper is only making use the first section of the principal rather than (the translated short user name) by default- unless the same auth_to_local is set in krb5.conf as hadoop.security.auth-to-local
For simplicity and less effort for users to struggle the configs, the behavior of the current patch is: for spark-demo@EXAMPLE.com mapped to spark user, both spark-demo (done by this patch) and spark (earlier done by YARN-6332) will be added in the znode acls. fyi [~billie.rinaldi]
was (Author: jianhe):
Thanks Eric for help debugging. You are right, it is because the spark-demo@EXAMPLE.COM got translated to spark instead of spark-demo by the auth_to_local config. Therefore, spark user got set in the znode ACL, instead of spark-demo. That caused it to fail.
And you were alsoright, I should just take the first section of the principal (NOT the translated short user name) for setting the znode acls. Because zookeeper is only making use the first section of the principal rather than (the translated short user name) by default- unless the same auth_to_local is set in krb5.conf as hadoop.security.auth-to-local
For simplicity and less effort for users to struggle the configs, the behavior of the current patch is: for spark-demo@EXAMPLE.com mapped to spark user, both spark-demo (done by this patch) and spark (earlier done by YARN-6332) will be added in the znode acls.
> Support security for YARN service framework
> -------------------------------------------
>
> Key: YARN-6669
> URL: https://issues.apache.org/jira/browse/YARN-6669
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Jian He
> Assignee: Jian He
> Attachments: YARN-6669.01.patch, YARN-6669.02.patch, YARN-6669.03.patch, YARN-6669.04.patch, YARN-6669.05.patch, YARN-6669.06.patch, YARN-6669.07.patch, YARN-6669.08.patch, YARN-6669.09.patch, YARN-6669.10.patch, YARN-6669.11.patch, YARN-6669.yarn-native-services.01.patch, YARN-6669.yarn-native-services.03.patch, YARN-6669.yarn-native-services.04.patch, YARN-6669.yarn-native-services.05.patch
>
>
> Changes include:
> - Make registry client to programmatically generate the jaas conf for secure access ZK quorum
> - Create a KerberosPrincipal resource object in REST API for user to supply keberos keytab and principal
> - User has two ways to configure:
> -- If keytab starts with "hdfs://", the keytab will be localized by YARN
> -- If keytab starts with "file://", it is assumed that the keytab are available on the localhost.
> - AM will use the keytab to log in
> - ServiceClient is changed to ask hdfs delegation token when submitting the service
> - AM code will use the tokens when launching containers
> - Support kerberized communication between client and AM
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org