[jira] [Commented] (YARN-6669) Support security for YARN service framework

Fri, 01 Dec 2017 10:38:42 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-6669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16274754#comment-16274754
 ] 

Eric Yang commented on YARN-6669:
---------------------------------

In ServiceScheduler.java, the newly introduced code for setting 
KEY_REGISTRY_USER_ACCOUNTS, this is currently set to full name of kerberos 
principal.  ZooKeeper client is only making use of the short name, therefore 
setting znode ACL {{sasl: [email protected]}} will not match during 
ZooKeeper client assumption for reading and writing.  This is the reason that 
we get NoAuth and NoNode exception, when trying to read the znode that we 
stored in ZoKeeper.

> Support security for YARN service framework
> -------------------------------------------
>
>                 Key: YARN-6669
>                 URL: https://issues.apache.org/jira/browse/YARN-6669
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-6669.01.patch, YARN-6669.02.patch, 
> YARN-6669.03.patch, YARN-6669.04.patch, YARN-6669.05.patch, 
> YARN-6669.06.patch, YARN-6669.07.patch, YARN-6669.08.patch, 
> YARN-6669.09.patch, YARN-6669.10.patch, 
> YARN-6669.yarn-native-services.01.patch, 
> YARN-6669.yarn-native-services.03.patch, 
> YARN-6669.yarn-native-services.04.patch, 
> YARN-6669.yarn-native-services.05.patch
>
>
> Changes include:
> -  Make registry client to programmatically generate the jaas conf for secure 
> access ZK quorum
> - Create a KerberosPrincipal resource object in REST API for user to supply 
> keberos keytab and principal 
> - User has two ways to configure:
> -- If keytab starts with "hdfs://",  the keytab will be localized by YARN
> -- If keytab starts with "file://", it is assumed that the keytab are 
> available on the localhost.
> - AM will use the keytab to log in
> - ServiceClient is changed to ask hdfs delegation token when submitting the 
> service
> - AM code will use the tokens when launching containers 
> - Support kerberized communication between client and AM



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to