hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6669) Support security for YARN service framework
Date Mon, 04 Dec 2017 20:18:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16277422#comment-16277422

Eric Yang commented on YARN-6669:

+1.  Summary of this patch:

# Initiate Kerberos login via Application Master.
# Setup JAAS configuration for secure ZooKeeper communication.
# Setup delegation tokens for distributed file system access during container bootstrap.
#  Secure znode ACL for published application using sasl:_primary_.

> Support security for YARN service framework
> -------------------------------------------
>                 Key: YARN-6669
>                 URL: https://issues.apache.org/jira/browse/YARN-6669
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-6669.01.patch, YARN-6669.02.patch, YARN-6669.03.patch, YARN-6669.04.patch,
YARN-6669.05.patch, YARN-6669.06.patch, YARN-6669.07.patch, YARN-6669.08.patch, YARN-6669.09.patch,
YARN-6669.10.patch, YARN-6669.11.patch, YARN-6669.12.patch, YARN-6669.yarn-native-services.01.patch,
YARN-6669.yarn-native-services.03.patch, YARN-6669.yarn-native-services.04.patch, YARN-6669.yarn-native-services.05.patch
> Changes include:
> -  Make registry client to programmatically generate the jaas conf for secure access
ZK quorum
> - Create a KerberosPrincipal resource object in REST API for user to supply keberos keytab
and principal 
> - User has two ways to configure:
> -- If keytab starts with "hdfs://",  the keytab will be localized by YARN
> -- If keytab starts with "file://", it is assumed that the keytab are available on the
> - AM will use the keytab to log in
> - ServiceClient is changed to ask hdfs delegation token when submitting the service
> - AM code will use the tokens when launching containers 
> - Support kerberized communication between client and AM

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message