[jira] [Commented] (YARN-896) Roll up for long lived YARN

Fri, 02 Aug 2013 06:38:13 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13727680#comment-13727680
 ] 

Larry McCay commented on YARN-896:
----------------------------------

While I am missing some of the important context of how tokens are issued for 
these long lived containers, I can introduce another pattern for token use that 
may be of some interest. 

If when an application is submitted to the RM it included tokens that represent 
the application's identity and have a sufficiently long expiration date then 
they could be exchanged for shorter lived access tokens. Upon completion or 
being flagged as rogue the identity token can be revoked/invalidated at which 
time the bearer could no longer acquire access tokens with it. This pattern 
eliminates the finite lifespan issue that tokens such as the delegation token 
have and at the same time reduces the amount of damage that can be done with an 
access token. This pattern is being discussed as part of the Hadoop SSO efforts 
for user authentication which you can find at HADOOP-9533 and HADOOP-9392. I 
have also filed a JIRA and have a preliminary patch posted for a JsonWebToken 
for use in such a pattern: HADOOP-9781. It utilizes PKI based cryptography for 
signing and verifying the token which is supported with a dependency on JIRA 
HADOOP-9534 for a credential management framework.
                
> Roll up for long lived YARN
> ---------------------------
>
>                 Key: YARN-896
>                 URL: https://issues.apache.org/jira/browse/YARN-896
>             Project: Hadoop YARN
>          Issue Type: New Feature
>            Reporter: Robert Joseph Evans
>
> YARN is intended to be general purpose, but it is missing some features to be 
> able to truly support long lived applications and long lived containers.
> This ticket is intended to
>  # discuss what is needed to support long lived processes
>  # track the resulting JIRA.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to