You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2019/08/14 17:50:00 UTC
[jira] [Resolved] (YARN-9735) Allow User Keytab to submit YARN
Native Service
[ https://issues.apache.org/jira/browse/YARN-9735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Yang resolved YARN-9735.
-----------------------------
Resolution: Invalid
[~Prabhu Joseph] User principal is not used as service principal because TGS request authenticate client principal with service principal, and this information is validated on the AM side to ensure that KDC pre-authentication took place, and server can only reconfirm the end user credential based on validation of Service principals granted to the end user. The service principal must match the hostname of the running service. Without presence of hostname in service principal, there is no security validation on service side to determine that end user is allowed or not. Hence, allowing user principal to run as service becomes a security hole. This reasoning makes the implementation invalid. Thank you for trying.
> Allow User Keytab to submit YARN Native Service
> ------------------------------------------------
>
> Key: YARN-9735
> URL: https://issues.apache.org/jira/browse/YARN-9735
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn-native-services
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
>
> Yarn Native Service launch fails on a secure cluster with user keytab. It allows only service keytab. Have seen most of the users test their jobs with user keytab.
> {code}
> [ambari-qa@pjosephdocker-3 ~]$ yarn app -launch sleeper-service /usr/hdp/3.0.1.0-187/hadoop-yarn/yarn-service-examples/sleeper/sleeper.json
> 19/08/03 17:17:04 ERROR client.ApiServiceClient: Kerberos principal (ambari-qa-pjosephdocker@DOCKER.COM) does not contain a hostname.
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org