hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-941) RM Should have a way to update the tokens it has for a running application
Date Thu, 19 Jun 2014 20:30:27 GMT

    [ https://issues.apache.org/jira/browse/YARN-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14037828#comment-14037828
] 

Steve Loughran commented on YARN-941:
-------------------------------------

[~vanzin], the issue here is that the AMRM token is only valid for 48h or so, after which
an AM can't talk to the RM.

This feature allows the RM to push out to the AM a new token. An attacker who gets the old
token would only be able to impersonate the AM for the remaining life of that token. 

Without this feature we can't have long-lived YARN services. 

Even with this, there's still the challenge of updating hdfs tokens. YARN is leaving that
to the application either through client-initiated updates (client gets token, pushes to AM
somehow), or preinstalled keytabs a la HBase.

> RM Should have a way to update the tokens it has for a running application
> --------------------------------------------------------------------------
>
>                 Key: YARN-941
>                 URL: https://issues.apache.org/jira/browse/YARN-941
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Robert Joseph Evans
>            Assignee: Xuan Gong
>         Attachments: YARN-941.preview.2.patch, YARN-941.preview.3.patch, YARN-941.preview.4.patch,
YARN-941.preview.patch
>
>
> When an application is submitted to the RM it includes with it a set of tokens that the
RM will renew on behalf of the application, that will be passed to the AM when the application
is launched, and will be used when launching the application to access HDFS to download files
on behalf of the application.
> For long lived applications/services these tokens can expire, and then the tokens that
the AM has will be invalid, and the tokens that the RM had will also not work to launch a
new AM.
> We need to provide an API that will allow the RM to replace the current tokens for this
application with a new set.  To avoid any real race issues, I think this API should be something
that the AM calls, so that the client can connect to the AM with a new set of tokens it got
using kerberos, then the AM can inform the RM of the new set of tokens and quickly update
its tokens internally to use these new ones.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message