Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.23.0
    • Fix Version/s: 0.23.0
    • Labels:
      None
    • Target Version/s:
    • Release Note:
      Hide
      A new server has been added to yarn. It is a web proxy that sits in front of the AM web UI. The server is controlled by the yarn.web-proxy.address config. If that config is set, and it points to an address that is different then the RM web interface then a separate proxy server needs to be launched.

      This can be done by running

      yarn-daemon.sh start proxyserver

      If a separate proxy server is needed other configs also may need to be set, if security is enabled.
      yarn.web-proxy.principal
      yarn.web-proxy.keytab

      The proxy server is stateless and should be able to support a VIP or other load balancing sitting in front of multiple instances of this server.
      Show
      A new server has been added to yarn. It is a web proxy that sits in front of the AM web UI. The server is controlled by the yarn.web-proxy.address config. If that config is set, and it points to an address that is different then the RM web interface then a separate proxy server needs to be launched. This can be done by running yarn-daemon.sh start proxyserver If a separate proxy server is needed other configs also may need to be set, if security is enabled. yarn.web-proxy.principal yarn.web-proxy.keytab The proxy server is stateless and should be able to support a VIP or other load balancing sitting in front of multiple instances of this server.
    • Tags:
      webapp, mrv2, security

      Description

      In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and NameNode (NN)) run as "trusted"
      system users, the application masters (AM) run as users who submit the application. While this offers great flexibility
      to run multiple version of mapreduce frameworks (including their UI) on the same Hadoop cluster, it has significant
      implication for the security of webapps (Please do not discuss company specific vulnerabilities here).

      Requirements:

      1. Secure authentication for AM (for app/job level ACLs).
      2. Webapp security should be optional via site configuration.
      3. Support existing pluggable single sign on mechanisms.
      4. Should not require per app/user configuration for deployment.
      5. Should not require special site-wide DNS configuration for deployment.

      This the top jira for webapp security. A design doc/notes of threat-modeling and counter measures will be posted on the wiki.

        Attachments

        1. MAPREDUCE-2858.patch
          92 kB
          Arun C Murthy
        2. MAPREDUCE-2858.patch
          91 kB
          Arun C Murthy
        3. MR-2858.txt
          91 kB
          Robert Joseph Evans
        4. MR-2858-branch-0.23.txt
          92 kB
          Robert Joseph Evans
        5. MR-2858.txt
          90 kB
          Robert Joseph Evans
        6. MR-2858-branch-0.23.txt
          91 kB
          Robert Joseph Evans
        7. MR-2858.txt
          88 kB
          Robert Joseph Evans
        8. MR-2858-branch-0.23.txt
          89 kB
          Robert Joseph Evans
        9. MR-2858.txt
          89 kB
          Robert Joseph Evans
        10. MR-2858-branch-0.23.txt
          90 kB
          Robert Joseph Evans

          Issue Links

            Activity

              People

              • Assignee:
                revans2 Robert Joseph Evans
                Reporter:
                vicaya Luke Lu
              • Votes:
                0 Vote for this issue
                Watchers:
                17 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: