[jira] [Commented] (MAPREDUCE-3940) ContainerTokens should have an expiry interval

Thu, 31 May 2012 10:11:25 -0700 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286752#comment-13286752
 ] 

Daryn Sharp commented on MAPREDUCE-3940:
----------------------------------------

A few questions/concerns:
# The {{ContainerTokenSecretManager}} appears to be using a hardcoded secret of 
{{mySecretKey}}?
# Secret managers usually handle the expiration internally to prevent 
tampering, but the token ident includes the expiry.  Combined with the prior 
point, is it possible to fabricate tokens for any host with any expiration?
# The secret manager usually validates the token & expiration, but here it 
appears the container manager itself is trying to do it?  Does this mean 
there's no SASL level token check occurring?
# The UGI is the container id instead of the job's submitter?
# The schedulers (fifo & leaf) and secret manager interaction seem inconsistent 
with the other implementations.  {{Token(ident, secretManager)}} seems to be 
the preferred way to create tokens.
                
> ContainerTokens should have an expiry interval
> ----------------------------------------------
>
>                 Key: MAPREDUCE-3940
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3940
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: mrv2, security
>    Affects Versions: 0.23.0
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Vinod Kumar Vavilapalli
>         Attachments: MAPREDUCE-3940-20120308.txt, 
> MAPREDUCE-3940-20120416.txt, MAPREDUCE-3940-20120425.txt, MR3940.txt, 
> MR3940.txt
>
>
>  - RM should generate the expiry time for a container
>  - A ContainerToken should have its expire time encoded
>  - NMs should reject containers with expired tokens.
>  - Expiry interval for a ContainerToken is same as the expiry interval for a 
> container.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to