You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eron Wright (JIRA)" <ji...@apache.org> on 2014/12/30 05:03:13 UTC
[jira] [Commented] (YARN-2477) DockerContainerExecutor must support
secure mode
[ https://issues.apache.org/jira/browse/YARN-2477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14260745#comment-14260745 ]
Eron Wright commented on YARN-2477:
------------------------------------
A key question here is whether it is necessary for the container to be capable of Kerberos authentication. Considering how tasks primarily use delegation tokens rather than Kerberos auth, the ability might not be important. A valid scenario might be appmasters with Kerberized endpoints.
By running in a container, the application loses access to two relevant files on the host filesystem: a) the /etc/krb5.conf file, and b) the installed JCE policy files (which Abin alludes to). Those files may vary by environment and are typically managed by Ambari/Cloudera Manager. On a), one solution is for the DockerContainerExecutor to share /etc/krb5.conf into the container. On b), I think it acceptable to defer the JCE issue and assume that the image will contain the needed policy. I believe that the steps to install a JCE policy vary by Linux distribution (some use 'alternatives').
> DockerContainerExecutor must support secure mode
> ------------------------------------------------
>
> Key: YARN-2477
> URL: https://issues.apache.org/jira/browse/YARN-2477
> Project: Hadoop YARN
> Issue Type: New Feature
> Reporter: Abin Shahab
> Labels: security
>
> DockerContainerExecutor(patch in YARN-1964) does not support Kerberized hadoop clusters yet, as Kerberized hadoop cluster has a strict dependency on the LinuxContainerExecutor.
> For Docker containers to be used in production environment, they must support secure hadoop. Issues regarding Java's AES encryption library in a containerized environment also need to be worked out.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)