[jira] [Commented] (MAPREDUCE-3251) Network ACLs can prevent some clients to talk to MR ApplicationMaster

Fri, 11 Nov 2011 10:34:13 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13148647#comment-13148647
 ] 

Mahadev konar commented on MAPREDUCE-3251:
------------------------------------------

Option 2 would be a problem for operations folks. A secure cluster deployment 
is getting more and more complicated (eg. the proxy).

I think option 1 might be fine, and we can make improvements to it by letting 
the AM send progress update to RM (via a string) and let the client get the 
update from RM and use that only the flag is turned on (flag for no 
communication to AM's). What do you guys think? 
                
> Network ACLs can prevent some clients to talk to MR ApplicationMaster
> ---------------------------------------------------------------------
>
>                 Key: MAPREDUCE-3251
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3251
>             Project: Hadoop Map/Reduce
>          Issue Type: Task
>          Components: mrv2
>    Affects Versions: 0.23.0
>            Reporter: Anupam Seth
>            Assignee: Anupam Seth
>            Priority: Critical
>             Fix For: 0.23.1
>
>
> In 0.20.xxx, the JobClient while polling goes to JT to get the job status. 
> With YARN, AM can be launched on any port and the client will have to have 
> ACL open to that port to talk to AM and get the job status. When the client 
> is within the same grid network access to AM is not a problem. But some 
> applications may have one installation per set of clusters and may launch 
> jobs even across such sets (on job trackers in another set of clusters). For 
> that to work only the JT port needs to be open currently. In case of YARN, 
> all ports will have to be opened up for things to work. That would be a 
> security no-no.
> There are two possible solutions:
>   1) Make the job client only talk to RM (as an option) to get the job 
> status. 
>   2) Limit the range of ports AM can listen on.
> Option 2) may not be favorable as there is no direct OS API to find a free 
> port.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to