Details

      Description

      We already authenticate requests to NM from any AM. We also need to authorize the requests, otherwise a rogue AM, but with proper tokens and thus authenticated to talk to NM, could either launch or kill a container with different ContainerID. We have two options:

      • Remove the explicit passing of the ContainerId as part of the API and instead get it from the RPC layer. In this case, we will need a ContainerToken for each container.
      • Do explicit authorization checks without relying on getting ContainerID from the RPC.

      One ContainerToken per container is a serious restriction. We anyways want to be able to use application-ACLS to, say, stop containers owned by others. So I am going to take the later route of explicit checks.

      1. MAPREDUCE-3256-20111029.txt
        80 kB
        Vinod Kumar Vavilapalli
      2. MAPREDUCE-3256-20111029.1.txt
        80 kB
        Vinod Kumar Vavilapalli
      3. MAPREDUCE-3256-20111028.2.txt
        70 kB
        Vinod Kumar Vavilapalli
      4. MAPREDUCE-3256-20111028.2_same
        70 kB
        Arun C Murthy
      5. MAPREDUCE-3256-20111028.1.txt
        72 kB
        Vinod Kumar Vavilapalli

        Issue Links

          Activity

            People

            • Assignee:
              Vinod Kumar Vavilapalli
              Reporter:
              Vinod Kumar Vavilapalli
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development