hadoop-mapreduce-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Created] (MAPREDUCE-5093) Improve RM and HS token acquisition during job submission
Date Fri, 22 Mar 2013 14:51:15 GMT
Daryn Sharp created MAPREDUCE-5093:
--------------------------------------

             Summary: Improve RM and HS token acquisition during job submission
                 Key: MAPREDUCE-5093
                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-5093
             Project: Hadoop Map/Reduce
          Issue Type: Improvement
          Components: job submission
    Affects Versions: 2.0.0-alpha, 0.23.0, 3.0.0
            Reporter: Daryn Sharp


Jobs that intend to submit other jobs (ex. oozie, pig) require a RM token.  Yarn has added
the requirement of a HS token.  Currently the submitter is required to explicitly obtain a
RM token with the correct renewer and add it to the credentials.  To avoid breaking compatibility,
the HS token is implicitly acquired if the submitter acquired a RM token via getDelegationToken.

Viewfs exposed the limitations of assuming only one token per filesystem.  Similarly, the
RM + HS token has the same issue.  We should consider changing the api, ex. {{getDelegationToken(renewer)}}
to {{addDelegationTokens(renewer, creds)}} ala the filesystem change.

Further, token acquisition should ideally be considered an internal implementation detail
required by security.  Submitters, particularly oozie & pig, would benefit greatly from
conf setting to indicate jobs are allowed to submit jobs.  This conf setting would trigger
invoking the proposed {{addDelegationTokens}} plus ensure the correct renewer is used, further
freeing submitters from knowing internal implementation details of security.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message