hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (YARN-1841) YARN ignores/overrides explicit security settings
Date Mon, 17 Mar 2014 19:41:42 GMT

     [ https://issues.apache.org/jira/browse/YARN-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Daryn Sharp resolved YARN-1841.

    Resolution: Not A Problem

Oleg, the authentication config setting specifies the _external authentication_ for client
visible services.  Ie. The NN, RM, etc.  The _internal authentication_ within the yarn framework
is an implementation detail independent of the config auth method.  Yarn does not need to
log a warning or exception for its internal design.

I think you are naively looking at this from the viewpoint of "simple" auth.  Consider kerberos
auth.  The AM, NM, tasks, etc cannot use kerberos to authenticate.  Even if they could, the
token is used to securely sign and transport tamper resistant values.  Always using tokens
prevents the dreaded "why does this AM/etc break with security enabled"?  After using the
configured auth for job submission, the code path within yarn is common and the internal auth
is of no concern to the user.

There is no design problem, the api is transparently based on the token + rpc layer meshing
to securely transport (whether simple or kerberos auth) the identity and resources requirements
between processes. 

Feel free to ask Vinod or I questions offline to come up to speed on hadoop & yarn's security.

> YARN ignores/overrides explicit security settings
> -------------------------------------------------
>                 Key: YARN-1841
>                 URL: https://issues.apache.org/jira/browse/YARN-1841
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.3.0
>            Reporter: Oleg Zhurakousky
> core-site.xml explicitly sets authentication as SIMPLE
> {code}
>  <property>
>     <name>hadoop.security.authentication</name>
>     <value>simple</value>
>     <description>Simple authentication</description>
>   </property>
> {code}
> However any attempt to register ApplicationMaster on the remote YARN cluster results
> {code}
> org.apache.hadoop.security.AccessControlException: SIMPLE authentication is not enabled.
> . . .
> {code}

This message was sent by Atlassian JIRA

View raw message