hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jian He (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
Date Sat, 06 Feb 2016 07:27:40 GMT

    [ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135658#comment-15135658
] 

Jian He commented on YARN-4653:
-------------------------------

Below title has some format issue. they need to be at the same line.
{code}
5	### AM keytab distributed via YARN; AM regenerates delegation
336	tokens for containers.
{code}

bq. No? I'm thinking of all tokens supplied to the container launch context, 
I think not. The delegation tokens will be kept renewed by the DelegationTokenRenewer thread
every 24 hrs. AM keeps using the same token until the token expired after 7 days.
bq. What should an app do in terms of running anything in its own process to refresh/renew
tokens?
IIUC, Renew will be done by the DelegationTokenRenewer thread in RM automatically every 24
hr until the final expiration (7 days). After that AM has to get a new token in some way to
run beyond 7 days. Or just using keytabs, instead of delegation token like you mentioned.

> Document YARN security model from the perspective of Application Developers
> ---------------------------------------------------------------------------
>
>                 Key: YARN-4653
>                 URL: https://issues.apache.org/jira/browse/YARN-4653
>             Project: Hadoop YARN
>          Issue Type: Task
>          Components: site
>    Affects Versions: 2.7.2
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>         Attachments: YARN-4653-001.patch, YARN-4653-002.patch, YARN-4653-003.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from distributed
shell, with a bit of [ill-informed superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just link to
the relevant bit of the distributed shell client on github for a guarantee of staying up to
date?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message