hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-5199) AppTokens file can/should be removed
Date Fri, 17 May 2013 20:59:16 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-5199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13661043#comment-13661043
] 

Daryn Sharp commented on MAPREDUCE-5199:
----------------------------------------

The issue stems from {{conf.getCredentials().addAll(credentials)}}.  Conf is a JobConf, and
credentials is obtained via the login UGI.  These credentials include the app token so by
propagating them into the jobConf, the tasks acquire the app token.

When the task submits a job, the submission writes out the appTokens file which now includes
the leaked app token.  The child job's AM reads in the file, adds it to its credentials, thus
clobbering its own app token.

We've successfully tested the patch on a secure cluster.  The app token no longer leaks to
the task.
                
> AppTokens file can/should be removed
> ------------------------------------
>
>                 Key: MAPREDUCE-5199
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-5199
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.0.0, 2.0.5-beta
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: MAPREDUCE-5199.patch
>
>
> All the required tokens are propagated to AMs and containers via startContainer(), no
need for explicitly creating the app-token file that we have today..

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message