[jira] [Commented] (YARN-707) Add user info in the YARN ClientToken

Tue, 27 Aug 2013 09:37:09 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13751407#comment-13751407
 ] 

Bikas Saha commented on YARN-707:
---------------------------------

Ah. My bad. The way we had modeled this was by asserting that clientTokens are 
generated once per app attempt (and in fact, its a member variable of 
RMAppAttemptImpl). So all app attempt tokens (like clientToken and amRmToken) 
were being stored while storing the app attempt itself 
(RMStateStore.storeApplicationAttempt()). And there are tests for app attempt 
storage and retrieval.

Now, since app tokens will be generated per client, like you rightly say, the 
master key and not the token itself needs to be stored. It looks like there are 
different keys for different app attempts. Would it be possible to continue 
using the app attempt object to store all the app attempt related information 
including the master key for the app? Instead of changing the 
ClientToAMTokenSecretManager and storing all these keys separately? That would 
be more in line with the way we have been modeling the storage. It will also 
reduce the changes needed since the plumbing to store app state already exists. 
In that case, the RMAppAttemptImpl will hold a reference to the key too. When 
we load the RMAppAttemptImpl from the store, then in the recover transition it 
would go through all existing logic and register with 
ClientToAMTokenSecretManager(), but this time supply the stored token to it 
instead of generating one afresh. Of course, ClientToAMTokenSecretManager would 
need changes in both approaches to support refreshing keys from an external 
source.

Hope this context helps! Sorry for the confusion. Thoughts?


                
> Add user info in the YARN ClientToken
> -------------------------------------
>
>                 Key: YARN-707
>                 URL: https://issues.apache.org/jira/browse/YARN-707
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Bikas Saha
>            Assignee: Jason Lowe
>             Fix For: 3.0.0, 2.1.1-beta
>
>         Attachments: YARN-707-20130822.txt
>
>
> If user info is present in the client token then it can be used to do limited 
> authz in the AM.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to