You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Sean Busbey (JIRA)" <ji...@apache.org> on 2016/03/25 15:13:25 UTC

[jira] [Updated] (YARN-4877) Add a way to push out updated service tokens to containers

     [ https://issues.apache.org/jira/browse/YARN-4877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Busbey updated YARN-4877:
------------------------------
    Component/s: security
                 applications

> Add a way to push out updated service tokens to containers
> ----------------------------------------------------------
>
>                 Key: YARN-4877
>                 URL: https://issues.apache.org/jira/browse/YARN-4877
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: applications, security
>    Affects Versions: 2.8.0
>            Reporter: Steve Loughran
>
> All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie. 
> Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like
> # AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ {{HADOOP_TOKEN_FILES_LOCATION}} and reload.
> # YARN Client API extended to allow AM launch context credentials to be similarly updated



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)