[jira] [Commented] (ACCUMULO-3513) Ensure MapReduce functionality with Kerberos enabled

Wed, 04 Feb 2015 14:57:08 -0800 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-3513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14306160#comment-14306160
 ] 

Josh Elser commented on ACCUMULO-3513:
--------------------------------------

bq. Ugh, I missed that. Sorry. Now you need to grant YARN setuid privileges. 
That's... unfortunate. I suppose you also have to make assumptions about which 
UID you need to use, based on the content of the delegation token, too, and I 
guess there's no guarantee that this will even be the same on every node, or 
match the submitter's UID. (Though, presumably, they will all be the same if 
using some common login service, like AD on all the nodes.)

Yes, it is a pain to get YARN set up in secure mode (notably setuid stuff), but 
it is well written out what you need to do. It's also a stated YARN assumption 
that the user must exist on every node.

> Ensure MapReduce functionality with Kerberos enabled
> ----------------------------------------------------
>
>                 Key: ACCUMULO-3513
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3513
>             Project: Accumulo
>          Issue Type: Bug
>          Components: client
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 1.7.0
>
>         Attachments: ACCUMULO-3513-design.pdf
>
>
> I talked to [~devaraj] today about MapReduce support running on secure Hadoop 
> to help get a picture about what extra might be needed to make this work.
> Generally, in Hadoop and HBase, the client must have valid credentials to 
> submit a job, then the notion of delegation tokens is used by for further 
> communication since the servers do not have access to the client's sensitive 
> information. A centralized service manages creation of a delegation token 
> which is a record which contains certain information (such as the submitting 
> user name) necessary to securely identify the holder of the delegation token.
> The general idea is that we would need to build support into the master to 
> manage delegation tokens to node managers to acquire and use to run jobs. 
> Hadoop and HBase both contain code which implements this general idea, but we 
> will need to apply them Accumulo and verify that it is M/R jobs still work on 
> a kerberized environment.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to