hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-4877) Add a way to push out updated service tokens to containers
Date Fri, 25 Mar 2016 10:52:25 GMT
Steve Loughran created YARN-4877:

             Summary: Add a way to push out updated service tokens to containers
                 Key: YARN-4877
                 URL: https://issues.apache.org/jira/browse/YARN-4877
             Project: Hadoop YARN
          Issue Type: Sub-task
    Affects Versions: 2.8.0
            Reporter: Steve Loughran

All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated
tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user,
or oozie. 

Per-app solutions are likely to have different security flaws, testability/support problems
etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the
local filesystem for container launch...this could be extended to support updated credential
propagation, something like

# AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull
down new value; UGI refresh thread can look for updated data @ {{HADOOP_TOKEN_FILES_LOCATION}}
and reload.
# YARN Client API extended to allow AM launch context credentials to be similarly updated

This message was sent by Atlassian JIRA

View raw message