[
https://issues.apache.org/jira/browse/MAPREDUCE-3943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13288959#comment-13288959
]
Siddharth Seth commented on MAPREDUCE-3943:
-------------------------------------------
bq. Having NMs generate keys can get expensive.
Please elaborate? I'm probably naive about a detail, but it seems like a simple
operation to generate the key, register it with the RM which can cache it in
its secret manager.
That was supposed to read - having NMs generate 'tokens' can get expensive.
With the current protocol - the RM sets the allocated containerId as part of
the token identifier. The RM would have to inform the NM about the containerId,
have it generate the token and then provide it to the AM. That's several
heartbeats.
Moving to per node secrets - I believe that can be achieved via the RM as well,
instead of having NMs generate the secret, the RM can generate secrets for each
NM. The pb message doesn't change in this case.
> RM-NM secret-keys should be randomly generated and rolled every so often
> ------------------------------------------------------------------------
>
> Key: MAPREDUCE-3943
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3943
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: mrv2, security
> Affects Versions: 0.23.0
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Vinod Kumar Vavilapalli
> Attachments: MAPREDUCE-3943-20120416.txt, MR3943.txt, MR3943.txt
>
>
> - RM should generate the master-key randomly
> - The master-key should roll every so often
> - NM should remember old expired keys so that already doled out
> container-requests can be satisfied.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
