All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie.
Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like
- AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ HADOOP_TOKEN_FILES_LOCATION and reload.
- YARN Client API extended to allow AM launch context credentials to be similarly updated