[jira] [Commented] (SAMZA-19) Secure YARN AM

Fri, 16 Aug 2013 21:47:58 -0700 

    [ 
https://issues.apache.org/jira/browse/SAMZA-19?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13742836#comment-13742836
 ] 

Jakob Homan commented on SAMZA-19:
----------------------------------

bq. We should secure the AM dashboard using Hadoop's security mechanism (a 
SPNEGO servlet filter, I believe).
Hadoop has a pluggable interface for securing its web pages and ships with a 
SPENGO filter that implements that interface.  It's pluggable to allow other 
orgs to use their own SSO solutions.  SPNEGO is just the web version of 
Kerberos (that's 99% true...) and is standard for connecting in Kerberized 
environments.

bq. Jakob Homan Any feedback on the best approach here? Does SPNEGO filter seem 
sane? What's the pattern for RPC?
SPNEGO is fine for the web servlets.  At the RPC level, Kerberos is used at the 
socket level via GSSAPI.  Since we're running within YARN, it'd be good to base 
any security on Kerberos/GSSAPI. 

bq. I'm assuming MapReduce is using the same RPC as YARN, and get security at 
the RPC level for free.
It's the other way around (historically), but yeah.  Need to take a deeper look 
into the YARN security.  
                
> Secure YARN AM
> --------------
>
>                 Key: SAMZA-19
>                 URL: https://issues.apache.org/jira/browse/SAMZA-19
>             Project: Samza
>          Issue Type: Bug
>            Reporter: Chris Riccomini
>
> Samza's YARN AM starts a Jetty servlet container that runs a Scalatra/SCAML 
> dashboard server for the Sama job, and a HTTP-RESTish RPC server on two 
> different ports.
> We should secure the AM dashboard using Hadoop's security mechanism (a SPNEGO 
> servlet filter, I believe).
> Need to investigate what to do regarding the RPC server.
> [~jakobhoman] Any feedback on the best approach here? Does SPNEGO filter seem 
> sane? What's the pattern for RPC?
> I'm assuming MapReduce is using the same RPC as YARN, and get security at the 
> RPC level for free.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to