Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-47

[Umbrella] Security issues in YARN

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      JIRA tracking YARN related security issues.

      Moving over YARN only stuff from MAPREDUCE-3101.

        Attachments

          Issue Links

          1.
          RM-NM secret-keys should be randomly generated and rolled every so often Sub-task Closed Vinod Kumar Vavilapalli
          2.
          Move to per-node RM-NM secrets Sub-task Open Omkar Vinit Joshi
          3.
          Tests for verifying application-acl checks on the web-UI Sub-task Open Unassigned
          4.
          Improve distributed shell application to work on a secure cluster Sub-task Closed Vinod Kumar Vavilapalli
          5.
          Implement renewal / cancellation of Delegation Tokens Sub-task Closed Siddharth Seth
          6.
          [MR-279] [Security] AM should not be able to abuse container tokens for repetitive container launches Sub-task Closed Vinod Kumar Vavilapalli
          7.
          AM should not be able to abuse container tokens for repetitive container launches Sub-task Closed Omkar Vinit Joshi
          8.
          NMs rejects all container tokens after secret key rolls Sub-task Closed Vinod Kumar Vavilapalli
          9.
          ClientToAMSecretManager creates keys without checking for validity of the appID Sub-task Closed Vinod Kumar Vavilapalli
          10.
          ClientTokens should be per app-attempt and be unregistered on App-finish. Sub-task Closed Vinod Kumar Vavilapalli
          11.
          RM does not reject app submission with invalid tokens Sub-task Closed Daryn Sharp
          12.
          ContainerManager APIs should be user accessible Sub-task Resolved Unassigned
          13.
          NodeManager should use SecureIOUtils for serving and aggregating logs Sub-task Closed Omkar Vinit Joshi
          14.
          Make ApplicationToken part of Container's token list to help RM-restart Sub-task Closed Vinod Kumar Vavilapalli
          15.
          ClientToken (ClientToAMToken) should not be set in the environment Sub-task Closed Omkar Vinit Joshi
          16.
          In unsercure mode, AM can fake resource requirements Sub-task Closed Omkar Vinit Joshi
          17.
          RM doesn't retry token renewals Sub-task Resolved Unassigned
          18.
          RM renews tokens even when maxDate will soon be exceeded Sub-task Open Unassigned
          19.
          DelegationTokens will be renewed forever if multiple jobs share tokens and the first one sets JOB_CANCEL_DELEGATION_TOKEN to false Sub-task Open Daryn Sharp
          20.
          AMTokens, ClientTokens and LocalizerTokens should be generated and used irrespective of kerberos Sub-task Open Vinod Kumar Vavilapalli
          21.
          Create NM proxy per NM instead of per container Sub-task Closed Omkar Vinit Joshi
          22.
          ApplicationTokens should be used irrespective of kerberos Sub-task Closed Vinod Kumar Vavilapalli
          23.
          NM startContainer should validate the NodeId Sub-task Closed Omkar Vinit Joshi
          24.
          Node manager is no longer required to store ContainerToken as it is required only during startContainer call. Sub-task Resolved Omkar Vinit Joshi
          25.
          Parse html response returned by Application master when showing it via WebProxy Sub-task Open Omkar Vinit Joshi
          26.
          RM triggers web auth failure before first job Sub-task Closed Omkar Vinit Joshi
          27.
          Get queue administration ACLs working Sub-task Closed Xuan Gong
          28.
          Add tests to verify that queue-admin-acls work with hierarchical queues Sub-task Open Xuan Gong
          29.
          NodeManager should allow queue admins to view app-logs Sub-task Open Xuan Gong
          30.
          NM is polluting container's credentials Sub-task Closed Omkar Vinit Joshi
          31.
          Yarn and MRv2 should do HTTP client authentication in kerberos setup. Sub-task Closed Omkar Vinit Joshi
          32.
          Start using NMTokens to authenticate all communication with NM Sub-task Closed Omkar Vinit Joshi
          33.
          Share NMTokens using NMTokenCache (api-based) instead of memory based approach which is used currently. Sub-task Closed Omkar Vinit Joshi
          34.
          Creating NMToken master key on RM and sharing it with NM as a part of RM-NM heartbeat. Sub-task Closed Omkar Vinit Joshi
          35.
          Sending NMToken to AM on allocate call Sub-task Closed Omkar Vinit Joshi
          36.
          ContainerManagerImpl should enforce token on server. Today it is [TOKEN, SIMPLE] Sub-task Closed Omkar Vinit Joshi
          37.
          Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy. Sub-task Open Unassigned
          38.
          ClientToAMTokenMasterKey should be provided to AM at launch time Sub-task Closed Jason Darrell Lowe

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                vinodkv Vinod Kumar Vavilapalli
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: