Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 0.23.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Most of the chassis for security in YARN is set up and is working. There are known bugs and security holes though. This JIRA is an umbrella ticket for tracking those.

        Issue Links

        1.
        Remove YarnConfiguration.YARN_SECURITY_INFO Sub-task Closed Vinod Kumar Vavilapalli  
         
        2.
        [MR-279] [Security] Cleanup LinuxContainerExecutor binary sources Sub-task Closed Robert Joseph Evans  
         
        3.
        [MR-279] [Security] Yarn servers can't communicate with each other with hadoop.security.authorization set to true Sub-task Closed Arun C Murthy  
         
        4.
        [MR-279] [Security] All tokens in YARN + MR should have an expiry interval Sub-task Resolved Vinod Kumar Vavilapalli  
         
        5.
        MR 279: Security for JobHistory service Sub-task Closed Siddharth Seth  
         
        6.
        NodeManager should fail fast with wrong configuration or permissions for LinuxContainerExecutor Sub-task Closed Hitesh Shah  
         
        7.
        ResourceManager needs to renew and cancel tokens associated with a job Sub-task Closed Arun C Murthy  
         
        8.
        Reenable TestLinuxContainerExecutor reflecting the current NM code. Sub-task Closed Robert Joseph Evans

        0%

        Original Estimate - 72h
        Remaining Estimate - 72h
         
        9.
        MRv2 WebApp Security Sub-task Closed Robert Joseph Evans  
         
        10.
        JobClient cannot talk to JobHistory server in secure mode Sub-task Closed Vinod Kumar Vavilapalli  
         
        11.
        Implement Job ACLs for MRAppMaster Sub-task Closed Mahadev konar  
         
        12.
        Implement Application ACLs, Queue ACLs and their interaction Sub-task Closed Vinod Kumar Vavilapalli  
         
        13.
        NM<->RM shared secrets should be rolled every so often. Sub-task Resolved Unassigned  
         
        14.
        [MR-279] Replace IP addresses with hostnames Sub-task Closed Vinod Kumar Vavilapalli  
         
        15.
        Fix log serving in NodeManager Sub-task Resolved Omkar Vinit Joshi  
         
        16.
        Yarn+MR secure mode is broken, uncovered after MAPREDUCE-3056 Sub-task Closed Vinod Kumar Vavilapalli  
         
        17.
        Unable to restrict users based on resourcemanager.admin.acls value set Sub-task Closed Arun C Murthy  
         
        18.
        [MR-279] Set correct permissions for files in dist cache Sub-task Closed Hitesh Shah  
         
        19.
        Yarn httpservers not created with access Control lists Sub-task Closed Jonathan Eagles  
         
        20.
        Authorization checks needed for AM->NM protocol Sub-task Closed Vinod Kumar Vavilapalli  
         
        21.
        Authorization checks needed for AM->RM protocol Sub-task Closed Vinod Kumar Vavilapalli  
         
        22.
        Token infrastructure for running clients which are not kerberos authenticated Sub-task Closed Mahadev konar  
         
        23.
        Cluster.getDelegationToken() throws NPE if client.getDelegationToken() returns null. Sub-task Closed John George  
         
        24.
        Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined Sub-task Resolved Omkar Vinit Joshi  
         
        25.
        Client cannot talk to the history server in secure mode Sub-task Closed Mahadev konar  
         
        26.
        ContainerTokens should have an expiry interval Sub-task Closed Vinod Kumar Vavilapalli  
         
        27.
        Randomize master key generation for ApplicationTokenSecretManager and roll it every so often Sub-task Closed Vinod Kumar Vavilapalli  
         
        28. JobHistoryServer should store tokens to authenticate clients across restart Sub-task Open Vinod Kumar Vavilapalli  
         
        29.
        AppTokens file can/should be removed Sub-task Closed Daryn Sharp  
         
        30. JobHIstoryServer should let queue admins view info of corresponding apps Sub-task Open Unassigned  
         

          Activity

          Eugene Koontz made changes -
          Link This issue incorporates MAPREDUCE-3979 [ MAPREDUCE-3979 ]
          Eugene Koontz made changes -
          Link This issue relates to BIGTOP-418 [ BIGTOP-418 ]
          Daryn Sharp made changes -
          Link This issue relates to MAPREDUCE-3704 [ MAPREDUCE-3704 ]
          Daryn Sharp made changes -
          Link This issue relates to MAPREDUCE-3704 [ MAPREDUCE-3704 ]
          Vinod Kumar Vavilapalli made changes -
          Fix Version/s 0.23.1 [ 12318883 ]
          Arun C Murthy made changes -
          Fix Version/s 0.23.1 [ 12318883 ]
          Fix Version/s 0.23.0 [ 12315570 ]
          Vinod Kumar Vavilapalli made changes -
          Link This issue incorporates MAPREDUCE-3013 [ MAPREDUCE-3013 ]
          Vinod Kumar Vavilapalli made changes -
          Field Original Value New Value
          Link This issue incorporates MAPREDUCE-3013 [ MAPREDUCE-3013 ]
          Vinod Kumar Vavilapalli created issue -

            People

            • Assignee:
              Vinod Kumar Vavilapalli
              Reporter:
              Vinod Kumar Vavilapalli
            • Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 72h
                72h
                Remaining:
                Remaining Estimate - 72h
                72h
                Logged:
                Time Spent - Not Specified
                Not Specified

                  Development