[
https://issues.apache.org/jira/browse/YARN-8571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560149#comment-16560149
]
Hudson commented on YARN-8571:
------------------------------
SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14655 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/14655/])
YARN-8571. Validate service principal format prior to launching yarn (billie:
rev b429f19d32d8f60a3535e047ef10cfb3edeb54c8)
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/exceptions/RestApiErrorMessages.java
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/test/java/org/apache/hadoop/yarn/service/TestServiceApiUtil.java
* (edit)
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/ServiceApiUtil.java
> Validate service principal format prior to launching yarn service
> -----------------------------------------------------------------
>
> Key: YARN-8571
> URL: https://issues.apache.org/jira/browse/YARN-8571
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security, yarn
> Affects Versions: 3.1.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-8571.001.patch, YARN-8571.002.patch
>
>
> Hadoop client and server interaction is designed to validate the service
> principal before RPC request is permitted. In YARN service, the same
> security model is enforced to prevent replay attack. However, end user
> might submit JSON that looks like this to YARN service REST API:
> {code}
> {
> "name": "sleeper-service",
> "version": "1.0.0",
> "components" :
> [
> {
> "name": "sleeper",
> "number_of_containers": 2,
> "launch_command": "sleep 900000",
> "resource": {
> "cpus": 1,
> "memory": "256"
> }
> }
> ],
> "kerberos_principal" : {
> "principal_name" : "[email protected]",
> "keytab" : "file:///etc/security/keytabs/smokeuser.headless.keytab"
> }
> }
> {code}
> The kerberos principal is end user kerberos principal instead of service
> principal. This does not work properly because YARN service application
> master requires to run with a service principal to communicate with YARN CLI
> client via Hadoop RPC. Without breaking Hadoop security design in this JIRA,
> it might be in our best interest to validate principal_name during
> submission, and report error message when someone tries to run YARN service
> with user principal.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
