hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-694) Start using NMTokens to authenticate all communication with NM
Date Tue, 18 Jun 2013 04:33:21 GMT

    [ https://issues.apache.org/jira/browse/YARN-694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686379#comment-13686379

Vinod Kumar Vavilapalli commented on YARN-694:

More comments
 - client.maximum-number-nm-proxy-connections -> client.max-nodemanagers-proxies
 - BuilderUtils newContainerToken that you changed: Please mark it as only for testing
 - TestContainerManagerSecurity: invalidContainerId and validNMToken are unused.

 - createStopContainerRequest, createGetContainerRequest, createStartContainerRequest can
be inlined and you use the factory methods in the records.
 - Can you group start/stop/get together?

 - count -> activeCallers
 - maxNumOfProxies - > maxConnectedNMs
 - closeProxy should be mayBeCloseProxy
 - stopAllProxy -> stopAllProxies.
 - proxy.close -> proxy.scheduledForClose
 - Add more comments to getProxy. Specifically about LRU, access/removal of proxies.
 - Also instead of depending on the LinkedHashMap taking care of LRU, we should explicitly
do it.
> Start using NMTokens to authenticate all communication with NM
> --------------------------------------------------------------
>                 Key: YARN-694
>                 URL: https://issues.apache.org/jira/browse/YARN-694
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Omkar Vinit Joshi
>            Assignee: Omkar Vinit Joshi
>         Attachments: YARN-694-20130613.patch, YARN-694-20130617.1.patch, YARN-694-20130617.2.patch,
> AM uses the NMToken to authenticate all the AM-NM communication.
> NM will validate NMToken in below manner
> * If NMToken is using current or previous master key then the NMToken is valid. In this
case it will update its cache with this key corresponding to appId.
> * If NMToken is using the master key which is present in NM's cache corresponding to
AM's appId then it will be validated based on this.
> * If NMToken is invalid then NM will reject AM calls.
> Modification for ContainerToken
> * At present RPC validates AM-NM communication based on ContainerToken. It will be replaced
with NMToken. Also now onwards AM will use NMToken per NM (replacing earlier behavior of ContainerToken
per container per NM).
> * startContainer in case of Secured environment is using ContainerToken from UGI YARN-617;
however after this it will use it from the payload (Container).
> * ContainerToken will exist and it will only be used to validate the AM's container start

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message