hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-3943) RM-NM secret-keys should be randomly generated and rolled every so often
Date Wed, 09 May 2012 20:15:48 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-3943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271756#comment-13271756

Daryn Sharp commented on MAPREDUCE-3943:

Just FYI, the patch doesn't apply.

It feels a bit contorted for the RM to have a pb message with the current and prior key (ie.
it's limited), which is the root of the 2X key roll problem.  With the patch the way it is,
having the RM transmit a single key and the NM remembering N-many keys is probably "less bad"...?

Passing the shared secret keys in "plaintext" in heartbeats is a bit troubling in general.
 More concerning is the direction of the data flow:  RM generates secret and gives it to the
NMs.  A rogue or compromised NM can intercept a key which I believe can be used to generate
tokens for other NMs.  If true, doesn't that put the entire cluster at risk?

Conceptually, the RM should simply request a token from the NM and pass the token along to
the AM so it can contact the NM.  It that's too expensive, it seems like the key exchange
should be inverted: NMs generate their own secret, and provide that secret to the RM.  A compromised
node cannot damage the entire cluster.

> RM-NM secret-keys should be randomly generated and rolled every so often
> ------------------------------------------------------------------------
>                 Key: MAPREDUCE-3943
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3943
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: mrv2, security
>    Affects Versions: 0.23.0
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Vinod Kumar Vavilapalli
>         Attachments: MAPREDUCE-3943-20120416.txt, MR3943.txt
>  - RM should generate the master-key randomly
>  - The master-key should roll every so often
>  - NM should remember old expired keys so that already doled out container-requests can
be satisfied.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message