[
https://issues.apache.org/jira/browse/YARN-613?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13656390#comment-13656390
]
Vinod Kumar Vavilapalli commented on YARN-613:
----------------------------------------------
Till now, NMs have always been trusted. That's the reason why we don't have
those checks. We'll need to add those extra checks if we feel that this
assumption isn't true.
I'd just do the auth based on AMNMToken and do the authz based on the supplied
appid and user information. Passing in AMTokens is an unnecessary step once we
do that.
Definitely going to rename all these tokens to reflect what they are doing.
I talked to [~jnp] and [~sseth] offline even before this discussion. We reached
the AMToken solution fundamentally because we were all trying to add in a new
token. But as we are now saying that NMs necessarily cannot be trusted, it
makes sense to add in the new token like you proposed. I discussed with them
again and they both agreed.
Let's go ahead with AMNMTokens.
> Create NM proxy per NM instead of per container
> -----------------------------------------------
>
> Key: YARN-613
> URL: https://issues.apache.org/jira/browse/YARN-613
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Bikas Saha
> Assignee: Omkar Vinit Joshi
>
> Currently a new NM proxy has to be created per container since the secure
> authentication is using a containertoken from the container.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
