Uploaded image for project: 'Hadoop Map/Reduce'
  1. Hadoop Map/Reduce
  2. MAPREDUCE-3101

[Umbrella] Security issues in YARN

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.23.0
    • None
    • security
    • None

    Description

      Most of the chassis for security in YARN is set up and is working. There are known bugs and security holes though. This JIRA is an umbrella ticket for tracking those.

      Attachments

        Issue Links

          incorporates

          Sub-task - The sub-task of the issue YARN-503 DelegationTokens will be renewed forever if multiple jobs share tokens and the first one sets JOB_CANCEL_DELEGATION_TOKEN to false

          • Major - Major loss of function.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. YARN-47 [Umbrella] Security issues in YARN

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. BIGTOP-418 Package MAPREDUCE-2858 (MRv2 WebApp Security)

          • Major - Major loss of function.
          • Closed
          1.
          		 Remove YarnConfiguration.YARN_SECURITY_INFO Sub-task Closed Vinod Kumar Vavilapalli  
          2.
          		 [MR-279] [Security] Cleanup LinuxContainerExecutor binary sources Sub-task Closed Robert Joseph Evans  
          3.
          		 [MR-279] [Security] Yarn servers can't communicate with each other with hadoop.security.authorization set to true Sub-task Closed Arun Murthy  
          4.
          		 [MR-279] [Security] All tokens in YARN + MR should have an expiry interval Sub-task Resolved Vinod Kumar Vavilapalli  
          5.
          		 MR 279: Security for JobHistory service Sub-task Closed Siddharth Seth  
          6.
          		 NodeManager should fail fast with wrong configuration or permissions for LinuxContainerExecutor Sub-task Closed Hitesh Shah  
          7.
          		 ResourceManager needs to renew and cancel tokens associated with a job Sub-task Closed Arun Murthy  
          8.
          		 Reenable TestLinuxContainerExecutor reflecting the current NM code. Sub-task Closed Robert Joseph Evans

          0%
          Original Estimate - 72h
          Remaining Estimate - 72h
          9.
          		 MRv2 WebApp Security Sub-task Closed Robert Joseph Evans  
          10.
          		 JobClient cannot talk to JobHistory server in secure mode Sub-task Closed Vinod Kumar Vavilapalli  
          11.
          		 Implement Job ACLs for MRAppMaster Sub-task Closed Mahadev Konar  
          12.
          		 Implement Application ACLs, Queue ACLs and their interaction Sub-task Closed Vinod Kumar Vavilapalli  
          13.
          		 NM<->RM shared secrets should be rolled every so often. Sub-task Resolved Unassigned  
          14.
          		 [MR-279] Replace IP addresses with hostnames Sub-task Closed Vinod Kumar Vavilapalli  
          15.
          		 Fix log serving in NodeManager Sub-task Resolved Omkar Vinit Joshi  
          16.
          		 Yarn+MR secure mode is broken, uncovered after MAPREDUCE-3056 Sub-task Closed Vinod Kumar Vavilapalli  
          17.
          		 Unable to restrict users based on resourcemanager.admin.acls value set Sub-task Closed Arun Murthy  
          18.
          		 [MR-279] Set correct permissions for files in dist cache Sub-task Closed Hitesh Shah  
          19.
          		 Yarn httpservers not created with access Control lists Sub-task Closed Jonathan Turner Eagles  
          20.
          		 Authorization checks needed for AM->NM protocol Sub-task Closed Vinod Kumar Vavilapalli  
          21.
          		 Authorization checks needed for AM->RM protocol Sub-task Closed Vinod Kumar Vavilapalli  
          22.
          		 Token infrastructure for running clients which are not kerberos authenticated Sub-task Closed Mahadev Konar  
          23.
          		 Cluster.getDelegationToken() throws NPE if client.getDelegationToken() returns null. Sub-task Closed John George  
          24.
          		 Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined Sub-task Resolved Omkar Vinit Joshi  
          25.
          		 Client cannot talk to the history server in secure mode Sub-task Closed Mahadev Konar  
          26.
          		 ContainerTokens should have an expiry interval Sub-task Closed Vinod Kumar Vavilapalli  
          27.
          		 Randomize master key generation for ApplicationTokenSecretManager and roll it every so often Sub-task Closed Vinod Kumar Vavilapalli  
          28.
          		 JobHistoryServer should store tokens to authenticate clients across restart Sub-task Resolved Vinod Kumar Vavilapalli  
          29.
          		 AppTokens file can/should be removed Sub-task Closed Daryn Sharp  
          30.
          		 JobHIstoryServer should let queue admins view info of corresponding apps Sub-task Open Unassigned  

          Activity

            People

              Unassigned Unassigned
              vinodkv Vinod Kumar Vavilapalli
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 72h
                  72h
                  Remaining:
                  Remaining Estimate - 72h
                  72h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified