Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-8571

Validate service principal format prior to launching yarn service

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0, 3.1.1
    • Fix Version/s: 3.2.0, 3.1.2
    • Component/s: security, yarn
    • Labels:
      None

      Description

      Hadoop client and server interaction is designed to validate the service principal before RPC request is permitted. In YARN service, the same security model is enforced to prevent replay attack. However, end user might submit JSON that looks like this to YARN service REST API:

      {
        "name": "sleeper-service",
        "version": "1.0.0",
        "components" :
        [
          {
            "name": "sleeper",
            "number_of_containers": 2,
            "launch_command": "sleep 900000",
            "resource": {
              "cpus": 1,
              "memory": "256"
            }
          }
        ],
        "kerberos_principal" : {
          "principal_name" : "ambari-qa@EXAMPLE.COM",
          "keytab" : "file:///etc/security/keytabs/smokeuser.headless.keytab"
        }
      }
      

      The kerberos principal is end user kerberos principal instead of service principal. This does not work properly because YARN service application master requires to run with a service principal to communicate with YARN CLI client via Hadoop RPC. Without breaking Hadoop security design in this JIRA, it might be in our best interest to validate principal_name during submission, and report error message when someone tries to run YARN service with user principal.

        Attachments

        1. YARN-8571.001.patch
          4 kB
          Eric Yang
        2. YARN-8571.002.patch
          5 kB
          Eric Yang

          Activity

            People

            • Assignee:
              eyang Eric Yang
              Reporter:
              eyang Eric Yang
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: