Omkar Vinit Joshi commented on YARN-694:

Things pending..
* Fix TestContainerManagerSecurity ... uncomment tests
* Distributed shell pass tokens from AMRMClient to NMClient
* Add test in TestContainerManagerSecurity to test key roll over.

> Start using NMTokens to authenticate all communication with NM
> --------------------------------------------------------------
>                 Key: YARN-694
>                 URL: https://issues.apache.org/jira/browse/YARN-694
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Omkar Vinit Joshi
>            Assignee: Omkar Vinit Joshi
>         Attachments: YARN-694-20130613.patch, YARN-694-20130617.patch
> AM uses the NMToken to authenticate all the AM-NM communication.
> NM will validate NMToken in below manner
> * If NMToken is using current or previous master key then the NMToken is 
> valid. In this case it will update its cache with this key corresponding to 
> appId.
> * If NMToken is using the master key which is present in NM's cache 
> corresponding to AM's appId then it will be validated based on this.
> * If NMToken is invalid then NM will reject AM calls.
> Modification for ContainerToken
> * At present RPC validates AM-NM communication based on ContainerToken. It 
> will be replaced with NMToken. Also now onwards AM will use NMToken per NM 
> (replacing earlier behavior of ContainerToken per container per NM).
> * startContainer in case of Secured environment is using ContainerToken from 
> UGI YARN-617; however after this it will use it from the payload (Container).
> * ContainerToken will exist and it will only be used to validate the AM's 
> container start request.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to