Steve Loughran created YARN-4877:
------------------------------------
Summary: Add a way to push out updated service tokens to containers
Key: YARN-4877
URL: https://issues.apache.org/jira/browse/YARN-4877
Project: Hadoop YARN
Issue Type: Sub-task
Affects Versions: 2.8.0
Reporter: Steve Loughran
All YARN apps with a planned lifespan of more than 24h need to have a way to
push out updated tokens to containers; the tokens themselves coming from an AM
with a keytab, a kinited user, or oozie.
Per-app solutions are likely to have different security flaws,
testability/support problems etc. Yet we already have a mechanism for the RM to
pass credentials to the NMs and into the local filesystem for container
launch...this could be extended to support updated credential propagation,
something like
# AM/RM protocol adds operation to replace credentials on a container; NM uses
this to pull down new value; UGI refresh thread can look for updated data @
{{HADOOP_TOKEN_FILES_LOCATION}} and reload.
# YARN Client API extended to allow AM launch context credentials to be
similarly updated
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
