[
https://issues.apache.org/jira/browse/YARN-694?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vinod Kumar Vavilapalli updated YARN-694:
-----------------------------------------
Issue Type: Sub-task (was: Bug)
Parent: YARN-47
> Start using NMTokens to authenticate all communication with NM
> --------------------------------------------------------------
>
> Key: YARN-694
> URL: https://issues.apache.org/jira/browse/YARN-694
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Omkar Vinit Joshi
> Assignee: Omkar Vinit Joshi
> Fix For: 2.1.0-beta
>
> Attachments: YARN-694-20130613.patch, YARN-694-20130617.1.patch,
> YARN-694-20130617.2.patch, YARN-694-20130617.patch,
> YARN-694-20130618.1.patch, YARN-694-20130618.2.patch,
> YARN-694-20130618.3.patch, YARN-694-20130618.4.patch,
> YARN-694-20130618.5.patch, YARN-694-20130618.patch.branch-2,
> YARN-694-20130618.patch.yarn-694-branch-2.1-beta
>
>
> AM uses the NMToken to authenticate all the AM-NM communication.
> NM will validate NMToken in below manner
> * If NMToken is using current or previous master key then the NMToken is
> valid. In this case it will update its cache with this key corresponding to
> appId.
> * If NMToken is using the master key which is present in NM's cache
> corresponding to AM's appId then it will be validated based on this.
> * If NMToken is invalid then NM will reject AM calls.
> Modification for ContainerToken
> * At present RPC validates AM-NM communication based on ContainerToken. It
> will be replaced with NMToken. Also now onwards AM will use NMToken per NM
> (replacing earlier behavior of ContainerToken per container per NM).
> * startContainer in case of Secured environment is using ContainerToken from
> UGI YARN-617; however after this it will use it from the payload (Container).
> * ContainerToken will exist and it will only be used to validate the AM's
> container start request.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
