Details
Description
Hadoop client and server interaction is designed to validate the service principal before RPC request is permitted. In YARN service, the same security model is enforced to prevent replay attack. However, end user might submit JSON that looks like this to YARN service REST API:
{ "name": "sleeper-service", "version": "1.0.0", "components" : [ { "name": "sleeper", "number_of_containers": 2, "launch_command": "sleep 900000", "resource": { "cpus": 1, "memory": "256" } } ], "kerberos_principal" : { "principal_name" : "ambari-qa@EXAMPLE.COM", "keytab" : "file:///etc/security/keytabs/smokeuser.headless.keytab" } }
The kerberos principal is end user kerberos principal instead of service principal. This does not work properly because YARN service application master requires to run with a service principal to communicate with YARN CLI client via Hadoop RPC. Without breaking Hadoop security design in this JIRA, it might be in our best interest to validate principal_name during submission, and report error message when someone tries to run YARN service with user principal.