[
https://issues.apache.org/jira/browse/YARN-9735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang resolved YARN-9735.
-----------------------------
Resolution: Invalid
[~Prabhu Joseph] User principal is not used as service principal because TGS
request authenticate client principal with service principal, and this
information is validated on the AM side to ensure that KDC pre-authentication
took place, and server can only reconfirm the end user credential based on
validation of Service principals granted to the end user. The service
principal must match the hostname of the running service. Without presence of
hostname in service principal, there is no security validation on service side
to determine that end user is allowed or not. Hence, allowing user principal
to run as service becomes a security hole. This reasoning makes the
implementation invalid. Thank you for trying.
> Allow User Keytab to submit YARN Native Service
> ------------------------------------------------
>
> Key: YARN-9735
> URL: https://issues.apache.org/jira/browse/YARN-9735
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn-native-services
> Affects Versions: 3.2.0
> Reporter: Prabhu Joseph
> Assignee: Prabhu Joseph
> Priority: Major
>
> Yarn Native Service launch fails on a secure cluster with user keytab. It
> allows only service keytab. Have seen most of the users test their jobs with
> user keytab.
> {code}
> [ambari-qa@pjosephdocker-3 ~]$ yarn app -launch sleeper-service
> /usr/hdp/3.0.1.0-187/hadoop-yarn/yarn-service-examples/sleeper/sleeper.json
> 19/08/03 17:17:04 ERROR client.ApiServiceClient: Kerberos principal
> (ambari-qa-pjosephdoc...@docker.com) does not contain a hostname.
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org
