Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-47 [Umbrella] Security issues in YARN
  3. YARN-693

Sending NMToken to AM on allocate call

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.1.0-beta
    • None
    • None
    • Reviewed

    Description

      This is part of YARN-613.
      As per the updated design, AM will receive per NM, NMToken in following scenarios

      • AM is receiving first container on underlying NM.
      • AM is receiving container on underlying NM after either NM or RM rebooted.
        • After RM reboot, as RM doesn't remember (persist) the information about keys issued per AM per NM, it will reissue tokens in case AM gets new container on underlying NM. However on NM side NM will still retain older token until it receives new token to support long running jobs (in work preserving environment).
        • After NM reboot, RM will delete the token information corresponding to that AM for all AMs.
      • AM is receiving container on underlying NM after NMToken master key is rolled over on RM side.
        In all the cases if AM receives new NMToken then it is suppose to store it for future NM communication until it receives a new one.

      AMRMClient should expose these NMToken to client.

      Attachments

        1. YARN-693-20130615.patch
          57 kB
          Omkar Vinit Joshi
        2. YARN-693-20130614.1.patch
          54 kB
          Omkar Vinit Joshi
        3. YARN-693-20130613.patch
          62 kB
          Omkar Vinit Joshi
        4. YARN-693-20130610.patch
          62 kB
          Omkar Vinit Joshi

        Issue Links

          blocks

          Sub-task - The sub-task of the issue YARN-610 ClientToken (ClientToAMToken) should not be set in the environment

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Sub-task - The sub-task of the issue YARN-613 Create NM proxy per NM instead of per container

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue YARN-694 Start using NMTokens to authenticate all communication with NM

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue YARN-739 NM startContainer should validate the NodeId

          • Major - Major loss of function.
          • Closed
          is blocked by

          Sub-task - The sub-task of the issue YARN-692 Creating NMToken master key on RM and sharing it with NM as a part of RM-NM heartbeat.

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue YARN-714 AMRM protocol changes for sending NMToken list

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. YARN-1189 NMTokenSecretManagerInNM is not being told when applications have finished

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              ojoshi Omkar Vinit Joshi
              ojoshi Omkar Vinit Joshi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: