Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-47 [Umbrella] Security issues in YARN
  3. YARN-694

Start using NMTokens to authenticate all communication with NM



    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1.0-beta
    • Component/s: None
    • Labels:
    • Hadoop Flags:
      Incompatible change, Reviewed


      AM uses the NMToken to authenticate all the AM-NM communication.
      NM will validate NMToken in below manner

      • If NMToken is using current or previous master key then the NMToken is valid. In this case it will update its cache with this key corresponding to appId.
      • If NMToken is using the master key which is present in NM's cache corresponding to AM's appId then it will be validated based on this.
      • If NMToken is invalid then NM will reject AM calls.

      Modification for ContainerToken

      • At present RPC validates AM-NM communication based on ContainerToken. It will be replaced with NMToken. Also now onwards AM will use NMToken per NM (replacing earlier behavior of ContainerToken per container per NM).
      • startContainer in case of Secured environment is using ContainerToken from UGI YARN-617; however after this it will use it from the payload (Container).
      • ContainerToken will exist and it will only be used to validate the AM's container start request.


        1. YARN-694-20130613.patch
          139 kB
          Omkar Vinit Joshi
        2. YARN-694-20130617.1.patch
          190 kB
          Omkar Vinit Joshi
        3. YARN-694-20130617.2.patch
          190 kB
          Omkar Vinit Joshi
        4. YARN-694-20130617.patch
          161 kB
          Omkar Vinit Joshi
        5. YARN-694-20130618.1.patch
          213 kB
          Omkar Vinit Joshi
        6. YARN-694-20130618.2.patch
          217 kB
          Omkar Vinit Joshi
        7. YARN-694-20130618.3.patch
          218 kB
          Omkar Vinit Joshi
        8. YARN-694-20130618.4.patch
          218 kB
          Omkar Vinit Joshi
        9. YARN-694-20130618.5.patch
          221 kB
          Omkar Vinit Joshi
        10. YARN-694-20130618.patch.branch-2
          221 kB
          Omkar Vinit Joshi
        11. YARN-694-20130618.patch.yarn-694-branch-2.1-beta
          221 kB
          Omkar Vinit Joshi

          Issue Links



              • Assignee:
                ojoshi Omkar Vinit Joshi
                ojoshi Omkar Vinit Joshi
              • Votes:
                0 Vote for this issue
                6 Start watching this issue


                • Created: