Affects Version/s: None
Fix Version/s: 2.1.0-beta
Hadoop Flags:Incompatible change, Reviewed
AM uses the NMToken to authenticate all the AM-NM communication.
NM will validate NMToken in below manner
- If NMToken is using current or previous master key then the NMToken is valid. In this case it will update its cache with this key corresponding to appId.
- If NMToken is using the master key which is present in NM's cache corresponding to AM's appId then it will be validated based on this.
- If NMToken is invalid then NM will reject AM calls.
Modification for ContainerToken
- At present RPC validates AM-NM communication based on ContainerToken. It will be replaced with NMToken. Also now onwards AM will use NMToken per NM (replacing earlier behavior of ContainerToken per container per NM).
- startContainer in case of Secured environment is using ContainerToken from UGI
YARN-617; however after this it will use it from the payload (Container).
- ContainerToken will exist and it will only be used to validate the AM's container start request.