You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Daryn Sharp (JIRA)" <ji...@apache.org> on 2014/03/17 20:41:42 UTC

[jira] [Resolved] (YARN-1841) YARN ignores/overrides explicit security settings

     [ https://issues.apache.org/jira/browse/YARN-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daryn Sharp resolved YARN-1841.
-------------------------------

    Resolution: Not A Problem

Oleg, the authentication config setting specifies the _external authentication_ for client visible services.  Ie. The NN, RM, etc.  The _internal authentication_ within the yarn framework is an implementation detail independent of the config auth method.  Yarn does not need to log a warning or exception for its internal design.

I think you are naively looking at this from the viewpoint of "simple" auth.  Consider kerberos auth.  The AM, NM, tasks, etc cannot use kerberos to authenticate.  Even if they could, the token is used to securely sign and transport tamper resistant values.  Always using tokens prevents the dreaded "why does this AM/etc break with security enabled"?  After using the configured auth for job submission, the code path within yarn is common and the internal auth is of no concern to the user.

There is no design problem, the api is transparently based on the token + rpc layer meshing to securely transport (whether simple or kerberos auth) the identity and resources requirements between processes. 

Feel free to ask Vinod or I questions offline to come up to speed on hadoop & yarn's security.

> YARN ignores/overrides explicit security settings
> -------------------------------------------------
>
>                 Key: YARN-1841
>                 URL: https://issues.apache.org/jira/browse/YARN-1841
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.3.0
>            Reporter: Oleg Zhurakousky
>
> core-site.xml explicitly sets authentication as SIMPLE
> {code}
>  <property>
>     <name>hadoop.security.authentication</name>
>     <value>simple</value>
>     <description>Simple authentication</description>
>   </property>
> {code}
> However any attempt to register ApplicationMaster on the remote YARN cluster results in 
> {code}
> org.apache.hadoop.security.AccessControlException: SIMPLE authentication is not enabled.  Available:[TOKEN]
> . . .
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)