Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-47 [Umbrella] Security issues in YARN
  3. YARN-694

Start using NMTokens to authenticate all communication with NM

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.1.0-beta
    • None
    • None
    • Incompatible change, Reviewed

    Description

      AM uses the NMToken to authenticate all the AM-NM communication.
      NM will validate NMToken in below manner

      • If NMToken is using current or previous master key then the NMToken is valid. In this case it will update its cache with this key corresponding to appId.
      • If NMToken is using the master key which is present in NM's cache corresponding to AM's appId then it will be validated based on this.
      • If NMToken is invalid then NM will reject AM calls.

      Modification for ContainerToken

      • At present RPC validates AM-NM communication based on ContainerToken. It will be replaced with NMToken. Also now onwards AM will use NMToken per NM (replacing earlier behavior of ContainerToken per container per NM).
      • startContainer in case of Secured environment is using ContainerToken from UGI YARN-617; however after this it will use it from the payload (Container).
      • ContainerToken will exist and it will only be used to validate the AM's container start request.

      Attachments

        1. YARN-694-20130618.patch.yarn-694-branch-2.1-beta
          221 kB
          Omkar Vinit Joshi
        2. YARN-694-20130618.patch.branch-2
          221 kB
          Omkar Vinit Joshi
        3. YARN-694-20130618.5.patch
          221 kB
          Omkar Vinit Joshi
        4. YARN-694-20130618.4.patch
          218 kB
          Omkar Vinit Joshi
        5. YARN-694-20130618.3.patch
          218 kB
          Omkar Vinit Joshi
        6. YARN-694-20130618.2.patch
          217 kB
          Omkar Vinit Joshi
        7. YARN-694-20130618.1.patch
          213 kB
          Omkar Vinit Joshi
        8. YARN-694-20130617.patch
          161 kB
          Omkar Vinit Joshi
        9. YARN-694-20130617.2.patch
          190 kB
          Omkar Vinit Joshi
        10. YARN-694-20130617.1.patch
          190 kB
          Omkar Vinit Joshi
        11. YARN-694-20130613.patch
          139 kB
          Omkar Vinit Joshi

        Issue Links

          blocks

          Sub-task - The sub-task of the issue YARN-613 Create NM proxy per NM instead of per container

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue YARN-739 NM startContainer should validate the NodeId

          • Major - Major loss of function.
          • Closed
          breaks

          Bug - A problem which impairs or prevents the functions of the product. YARN-854 App submission fails on secure deploy

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed
          is blocked by

          Sub-task - The sub-task of the issue YARN-692 Creating NMToken master key on RM and sharing it with NM as a part of RM-NM heartbeat.

          • Major - Major loss of function.
          • Closed

          Sub-task - The sub-task of the issue YARN-693 Sending NMToken to AM on allocate call

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. YARN-639 Make AM of Distributed Shell Use NMClient

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. YARN-1433 ContainerManagementProtocolProxy doesn't have the retry policy

          • Major - Major loss of function.
          • Open
          relates to

          Sub-task - The sub-task of the issue YARN-870 Node manager is no longer required to store ContainerToken as it is required only during startContainer call.

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. YARN-1189 NMTokenSecretManagerInNM is not being told when applications have finished

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              ojoshi Omkar Vinit Joshi
              ojoshi Omkar Vinit Joshi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: