[
https://issues.apache.org/jira/browse/YARN-3053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832994#comment-15832994
]
Varun Saxena commented on YARN-3053:
------------------------------------
Thanks [~jlowe] for going through the document.
bq. For things like Slider and other long-running services, there's going to be
a need to regenerate the ATS token (i.e.: token rolling similar to what is
already done for other YARN tokens). It would be good to have the strategy for
that explained.
We currently only have app based collectors which come up when an app is
submitted and go away when an app is destroyed. Tokens will be renewed by YARN
i.e. by collector manager at each NM if the collector is active and token is
about to expire. And when app based collector is cleaned up, the relevant timer
for renewal will be cancelled.
Will update this point and how we will recover tokens upon restart in the
document.
bq. How are unmanaged AMs handled? Do they have a collector, how do they
authenticate, etc.?
The only thing which changes for unmanaged AMs' is that YARN won't launch an AM
container for them. But rest remains the same. So an app based collector would
be launched for them as well. And token + service address passed in AM
heartbeat. And this token will be used for authentication.
bq. How are entites that are not AMs handled? For example, what if a service
outside of YARN wants to post ATS events? Do they have a collector, how do they
authenticate, etc.?
We currently do not have support for off application collectors i.e. we do not
support the publishing of entities for services outside of YARN. This is
planned in future.
Therefore, the design for off-app collectors is not yet decided upon. Timeline
Client will most probably use a RM endpoint to discover the service address of
timeline collector to which client would talk to in case of an off-app
collector.
Even for them, we will use HTTP SPNEGO authentication by using Kerberos,
something which will be added right now. This will be achieved by existing auth
filters. We will load timeline auth filter when collector manager starts up.
We will have to decide though how to pass tokens if a client wants to talk
using tokens. We can probably provide explicit APIs' to get, renew and cancel
delegation tokens.
We can also introduce support for getting the token transparently in timeline
client. In this case, we will have to manage renewal by ourselves.
> [Security] Review and implement security in ATS v.2
> ---------------------------------------------------
>
> Key: YARN-3053
> URL: https://issues.apache.org/jira/browse/YARN-3053
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Reporter: Sangjin Lee
> Assignee: Varun Saxena
> Labels: YARN-5355, yarn-5355-merge-blocker
> Attachments: ATSv2Authentication(draft).pdf
>
>
> Per design in YARN-2928, we want to evaluate and review the system for
> security, and ensure proper security in the system.
> This includes proper authentication, token management, access control, and
> any other relevant security aspects.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
