[jira] [Commented] (MAPREDUCE-3943) RM-NM secret-keys should be randomly generated and rolled every so often

Wed, 09 May 2012 13:16:33 -0700 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271756#comment-13271756
 ] 

Daryn Sharp commented on MAPREDUCE-3943:
----------------------------------------

Just FYI, the patch doesn't apply.

It feels a bit contorted for the RM to have a pb message with the current and 
prior key (ie. it's limited), which is the root of the 2X key roll problem.  
With the patch the way it is, having the RM transmit a single key and the NM 
remembering N-many keys is probably "less bad"...?

Passing the shared secret keys in "plaintext" in heartbeats is a bit troubling 
in general.  More concerning is the direction of the data flow:  RM generates 
secret and gives it to the NMs.  A rogue or compromised NM can intercept a key 
which I believe can be used to generate tokens for other NMs.  If true, doesn't 
that put the entire cluster at risk?

Conceptually, the RM should simply request a token from the NM and pass the 
token along to the AM so it can contact the NM.  It that's too expensive, it 
seems like the key exchange should be inverted: NMs generate their own secret, 
and provide that secret to the RM.  A compromised node cannot damage the entire 
cluster.




                
> RM-NM secret-keys should be randomly generated and rolled every so often
> ------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-3943
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3943
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: mrv2, security
>    Affects Versions: 0.23.0
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Vinod Kumar Vavilapalli
>         Attachments: MAPREDUCE-3943-20120416.txt, MR3943.txt
>
>
>  - RM should generate the master-key randomly
>  - The master-key should roll every so often
>  - NM should remember old expired keys so that already doled out 
> container-requests can be satisfied.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to