hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-694) Start using NMTokens to authenticate all communication with NM
Date Tue, 18 Jun 2013 04:33:21 GMT

    [ https://issues.apache.org/jira/browse/YARN-694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686379#comment-13686379
] 

Vinod Kumar Vavilapalli commented on YARN-694:
----------------------------------------------

More comments
 - client.maximum-number-nm-proxy-connections -> client.max-nodemanagers-proxies
 - BuilderUtils newContainerToken that you changed: Please mark it as only for testing
 - TestContainerManagerSecurity: invalidContainerId and validNMToken are unused.

NMClientImpl
 - createStopContainerRequest, createGetContainerRequest, createStartContainerRequest can
be inlined and you use the factory methods in the records.
 - Can you group start/stop/get together?

ContainerManagementProtocolProxy
 - count -> activeCallers
 - maxNumOfProxies - > maxConnectedNMs
 - closeProxy should be mayBeCloseProxy
 - stopAllProxy -> stopAllProxies.
 - proxy.close -> proxy.scheduledForClose
 - Add more comments to getProxy. Specifically about LRU, access/removal of proxies.
 - Also instead of depending on the LinkedHashMap taking care of LRU, we should explicitly
do it.
                
> Start using NMTokens to authenticate all communication with NM
> --------------------------------------------------------------
>
>                 Key: YARN-694
>                 URL: https://issues.apache.org/jira/browse/YARN-694
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Omkar Vinit Joshi
>            Assignee: Omkar Vinit Joshi
>         Attachments: YARN-694-20130613.patch, YARN-694-20130617.1.patch, YARN-694-20130617.2.patch,
YARN-694-20130617.patch
>
>
> AM uses the NMToken to authenticate all the AM-NM communication.
> NM will validate NMToken in below manner
> * If NMToken is using current or previous master key then the NMToken is valid. In this
case it will update its cache with this key corresponding to appId.
> * If NMToken is using the master key which is present in NM's cache corresponding to
AM's appId then it will be validated based on this.
> * If NMToken is invalid then NM will reject AM calls.
> Modification for ContainerToken
> * At present RPC validates AM-NM communication based on ContainerToken. It will be replaced
with NMToken. Also now onwards AM will use NMToken per NM (replacing earlier behavior of ContainerToken
per container per NM).
> * startContainer in case of Secured environment is using ContainerToken from UGI YARN-617;
however after this it will use it from the payload (Container).
> * ContainerToken will exist and it will only be used to validate the AM's container start
request.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message