hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6669) Support security for YARN service framework
Date Fri, 01 Dec 2017 18:38:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16274754#comment-16274754
] 

Eric Yang commented on YARN-6669:
---------------------------------

In ServiceScheduler.java, the newly introduced code for setting KEY_REGISTRY_USER_ACCOUNTS,
this is currently set to full name of kerberos principal.  ZooKeeper client is only making
use of the short name, therefore setting znode ACL {{sasl: spark-demo@EXAMPLE.COM}} will not
match during ZooKeeper client assumption for reading and writing.  This is the reason that
we get NoAuth and NoNode exception, when trying to read the znode that we stored in ZoKeeper.

> Support security for YARN service framework
> -------------------------------------------
>
>                 Key: YARN-6669
>                 URL: https://issues.apache.org/jira/browse/YARN-6669
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-6669.01.patch, YARN-6669.02.patch, YARN-6669.03.patch, YARN-6669.04.patch,
YARN-6669.05.patch, YARN-6669.06.patch, YARN-6669.07.patch, YARN-6669.08.patch, YARN-6669.09.patch,
YARN-6669.10.patch, YARN-6669.yarn-native-services.01.patch, YARN-6669.yarn-native-services.03.patch,
YARN-6669.yarn-native-services.04.patch, YARN-6669.yarn-native-services.05.patch
>
>
> Changes include:
> -  Make registry client to programmatically generate the jaas conf for secure access
ZK quorum
> - Create a KerberosPrincipal resource object in REST API for user to supply keberos keytab
and principal 
> - User has two ways to configure:
> -- If keytab starts with "hdfs://",  the keytab will be localized by YARN
> -- If keytab starts with "file://", it is assumed that the keytab are available on the
localhost.
> - AM will use the keytab to log in
> - ServiceClient is changed to ask hdfs delegation token when submitting the service
> - AM code will use the tokens when launching containers 
> - Support kerberized communication between client and AM



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message