Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.23.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Most of the chassis for security in YARN is set up and is working. There are known bugs and security holes though. This JIRA is an umbrella ticket for tracking those.

        Attachments

          Issue Links

          1.
          Remove YarnConfiguration.YARN_SECURITY_INFO Sub-task Closed Vinod Kumar Vavilapalli  
          2.
          [MR-279] [Security] Cleanup LinuxContainerExecutor binary sources Sub-task Closed Robert Joseph Evans  
          3.
          [MR-279] [Security] Yarn servers can't communicate with each other with hadoop.security.authorization set to true Sub-task Closed Arun C Murthy  
          4.
          [MR-279] [Security] All tokens in YARN + MR should have an expiry interval Sub-task Resolved Vinod Kumar Vavilapalli  
          5.
          MR 279: Security for JobHistory service Sub-task Closed Siddharth Seth  
          6.
          NodeManager should fail fast with wrong configuration or permissions for LinuxContainerExecutor Sub-task Closed Hitesh Shah  
          7.
          ResourceManager needs to renew and cancel tokens associated with a job Sub-task Closed Arun C Murthy  
          8.
          Reenable TestLinuxContainerExecutor reflecting the current NM code. Sub-task Closed Robert Joseph Evans

          0%

          Original Estimate - 72h
          Remaining Estimate - 72h
          9.
          MRv2 WebApp Security Sub-task Closed Robert Joseph Evans  
          10.
          JobClient cannot talk to JobHistory server in secure mode Sub-task Closed Vinod Kumar Vavilapalli  
          11.
          Implement Job ACLs for MRAppMaster Sub-task Closed Mahadev konar  
          12.
          Implement Application ACLs, Queue ACLs and their interaction Sub-task Closed Vinod Kumar Vavilapalli  
          13.
          NM<->RM shared secrets should be rolled every so often. Sub-task Resolved Unassigned  
          14.
          [MR-279] Replace IP addresses with hostnames Sub-task Closed Vinod Kumar Vavilapalli  
          15.
          Fix log serving in NodeManager Sub-task Resolved Omkar Vinit Joshi  
          16.
          Yarn+MR secure mode is broken, uncovered after MAPREDUCE-3056 Sub-task Closed Vinod Kumar Vavilapalli  
          17.
          Unable to restrict users based on resourcemanager.admin.acls value set Sub-task Closed Arun C Murthy  
          18.
          [MR-279] Set correct permissions for files in dist cache Sub-task Closed Hitesh Shah  
          19.
          Yarn httpservers not created with access Control lists Sub-task Closed Jonathan Eagles  
          20.
          Authorization checks needed for AM->NM protocol Sub-task Closed Vinod Kumar Vavilapalli  
          21.
          Authorization checks needed for AM->RM protocol Sub-task Closed Vinod Kumar Vavilapalli  
          22.
          Token infrastructure for running clients which are not kerberos authenticated Sub-task Closed Mahadev konar  
          23.
          Cluster.getDelegationToken() throws NPE if client.getDelegationToken() returns null. Sub-task Closed John George  
          24.
          Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined Sub-task Resolved Omkar Vinit Joshi  
          25.
          Client cannot talk to the history server in secure mode Sub-task Closed Mahadev konar  
          26.
          ContainerTokens should have an expiry interval Sub-task Closed Vinod Kumar Vavilapalli  
          27.
          Randomize master key generation for ApplicationTokenSecretManager and roll it every so often Sub-task Closed Vinod Kumar Vavilapalli  
          28.
          JobHistoryServer should store tokens to authenticate clients across restart Sub-task Resolved Vinod Kumar Vavilapalli  
          29.
          AppTokens file can/should be removed Sub-task Closed Daryn Sharp  
          30.
          JobHIstoryServer should let queue admins view info of corresponding apps Sub-task Open Unassigned  

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                vinodkv Vinod Kumar Vavilapalli
              • Votes:
                0 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 72h
                  72h
                  Remaining:
                  Remaining Estimate - 72h
                  72h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified