Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-896 Roll up for long-lived services in YARN
  3. YARN-4877

Add a way to push out updated service tokens to containers

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.8.0
    • Fix Version/s: None
    • Component/s: applications, security
    • Labels:
      None

      Description

      All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie.

      Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like

      1. AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ HADOOP_TOKEN_FILES_LOCATION and reload.
      2. YARN Client API extended to allow AM launch context credentials to be similarly updated

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              stevel@apache.org Steve Loughran
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: