Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: yarn-issues@hadoop.apache.org
Date: Tue, 24 Jun 2014 17:21:26 +0000 (UTC)
From: "Anubhav Dhoot (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12658813.1374260608194.38513.1403630486815@arcas>
In-Reply-To: <JIRA.12658813.1374260608194@arcas>
References: <JIRA.12658813.1374260608194@arcas>
Subject: [jira] [Commented] (YARN-941) RM Should have a way to update the
 tokens it has for a running application
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/YARN-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042399#comment-14042399 ] 

Anubhav Dhoot commented on YARN-941:
------------------------------------

Let me try to summarize the different points of view.

>Per [~vanzin] if there were a method for securely exchanging tokens, there would be no need for token renewal
The way authentication is being done in the current model is you need to present the token when making the RPC call. The only mitigations for an attacker sniffing this channel is (a) don't send tokens and use a different authentication model or (b) secure the RPC channel (encryption for eg). If you do (a), say instead of sending tokens we have a shared secret that is derived from some key exchange protocol and then use it for making signed HMAC of the request that would address what you are referring to. This is for example what [AWS|http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html]/Azure use. [~vanzin] I wonder if you wan't to discuss option (a) which is fair but seems out of scope for this jira. 

Staying with the current model ie. (b), changing tokens periodically does mitigate a different attack surface. Its when the attacker can steal tokens from a different place and tries to use it while making the RPC. Now the question is we do worry about mitigating this attack surface - 
- If YES -  then (c) go ahead and replace tokens periodically.
- If NO - then (d) we don't need to replace tokens and let the token be used for much longer by making the expiration configurable per App.

> RM Should have a way to update the tokens it has for a running application
> --------------------------------------------------------------------------
>
>                 Key: YARN-941
>                 URL: https://issues.apache.org/jira/browse/YARN-941
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Robert Joseph Evans
>            Assignee: Xuan Gong
>         Attachments: YARN-941.preview.2.patch, YARN-941.preview.3.patch, YARN-941.preview.4.patch, YARN-941.preview.patch
>
>
> When an application is submitted to the RM it includes with it a set of tokens that the RM will renew on behalf of the application, that will be passed to the AM when the application is launched, and will be used when launching the application to access HDFS to download files on behalf of the application.
> For long lived applications/services these tokens can expire, and then the tokens that the AM has will be invalid, and the tokens that the RM had will also not work to launch a new AM.
> We need to provide an API that will allow the RM to replace the current tokens for this application with a new set.  To avoid any real race issues, I think this API should be something that the AM calls, so that the client can connect to the AM with a new set of tokens it got using kerberos, then the AM can inform the RM of the new set of tokens and quickly update its tokens internally to use these new ones.


--
This message was sent by Atlassian JIRA
(v6.2#6252)