Daryn Sharp created MAPREDUCE-5093:
--------------------------------------
Summary: Improve RM and HS token acquisition during job submission
Key: MAPREDUCE-5093
URL: https://issues.apache.org/jira/browse/MAPREDUCE-5093
Project: Hadoop Map/Reduce
Issue Type: Improvement
Components: job submission
Affects Versions: 2.0.0-alpha, 0.23.0, 3.0.0
Reporter: Daryn Sharp
Jobs that intend to submit other jobs (ex. oozie, pig) require a RM token.
Yarn has added the requirement of a HS token. Currently the submitter is
required to explicitly obtain a RM token with the correct renewer and add it to
the credentials. To avoid breaking compatibility, the HS token is implicitly
acquired if the submitter acquired a RM token via getDelegationToken.
Viewfs exposed the limitations of assuming only one token per filesystem.
Similarly, the RM + HS token has the same issue. We should consider changing
the api, ex. {{getDelegationToken(renewer)}} to {{addDelegationTokens(renewer,
creds)}} ala the filesystem change.
Further, token acquisition should ideally be considered an internal
implementation detail required by security. Submitters, particularly oozie &
pig, would benefit greatly from conf setting to indicate jobs are allowed to
submit jobs. This conf setting would trigger invoking the proposed
{{addDelegationTokens}} plus ensure the correct renewer is used, further
freeing submitters from knowing internal implementation details of security.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
