Details

      Description

      We already authenticate requests to NM from any AM. We also need to authorize the requests, otherwise a rogue AM, but with proper tokens and thus authenticated to talk to NM, could either launch or kill a container with different ContainerID. We have two options:

      • Remove the explicit passing of the ContainerId as part of the API and instead get it from the RPC layer. In this case, we will need a ContainerToken for each container.
      • Do explicit authorization checks without relying on getting ContainerID from the RPC.

      One ContainerToken per container is a serious restriction. We anyways want to be able to use application-ACLS to, say, stop containers owned by others. So I am going to take the later route of explicit checks.

        Attachments

        1. MAPREDUCE-3256-20111028.1.txt
          72 kB
          Vinod Kumar Vavilapalli
        2. MAPREDUCE-3256-20111028.2_same
          70 kB
          Arun C Murthy
        3. MAPREDUCE-3256-20111028.2.txt
          70 kB
          Vinod Kumar Vavilapalli
        4. MAPREDUCE-3256-20111029.1.txt
          80 kB
          Vinod Kumar Vavilapalli
        5. MAPREDUCE-3256-20111029.txt
          80 kB
          Vinod Kumar Vavilapalli

          Issue Links

            Activity

              People

              • Assignee:
                vinodkv Vinod Kumar Vavilapalli
                Reporter:
                vinodkv Vinod Kumar Vavilapalli
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: