[
https://issues.apache.org/jira/browse/YARN-11922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bence Kosztolnik updated YARN-11922:
------------------------------------
Description:
*Problem Statement:*
I have a scenario where I need to migrate a YARN cluster to a FIPS
140-3–compatible environment.
For this, the AMRMTokenSecretManager must use secrets that are at least 112
bits long. By default, the secret length is 64 bits. When I modify the key size
and restart the cluster with recovery enabled, the state store reloads the old
secret, which has a default lifetime of 24 hours. As a result, even though the
cluster is configured to operate in FIPS 140-3–compatible mode, it continues to
use a non-compliant secret.
*Solution:*
When the ResourceManager recovers, it should validate the secret size stored in
the state store. If the stored secret size differs from the configured value,
the secret should be forcibly regenerated and updated.
*Tested:*
Through manual testing, I verified that HIVE applications can run successfully
both before and after the configuration change.
was:
*Problem Statement:*
I have a scenario where I need to migrate a YARN cluster to a FIPS
140-3–compatible environment.
For this, the AMRMTokenSecretManager must use secrets that are at least 112
bits long. By default, the secret length is 64 bits. When I modify the key size
and restart the cluster with recovery enabled, the state store reloads the old
secret, which has a default lifetime of 24 hours. As a result, even though the
cluster is configured to operate in FIPS 140-3–compatible mode, it continues to
use a non-compliant secret.
*Solution:*
When the ResourceManager recovers, it should validate the secret size stored in
the state store. If the stored secret size differs from the configured value,
the secret should be forcibly regenerated and updated.
{*}Tested:{*}{*}{*}
Through manual testing, I verified that HIVE applications can run successfully
both before and after the configuration change.
> ResourceManager not update SecretManager keysize immediately if recovery is on
> ------------------------------------------------------------------------------
>
> Key: YARN-11922
> URL: https://issues.apache.org/jira/browse/YARN-11922
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Minor
>
> *Problem Statement:*
> I have a scenario where I need to migrate a YARN cluster to a FIPS
> 140-3–compatible environment.
> For this, the AMRMTokenSecretManager must use secrets that are at least 112
> bits long. By default, the secret length is 64 bits. When I modify the key
> size and restart the cluster with recovery enabled, the state store reloads
> the old secret, which has a default lifetime of 24 hours. As a result, even
> though the cluster is configured to operate in FIPS 140-3–compatible mode, it
> continues to use a non-compliant secret.
>
> *Solution:*
> When the ResourceManager recovers, it should validate the secret size stored
> in the state store. If the stored secret size differs from the configured
> value, the secret should be forcibly regenerated and updated.
>
> *Tested:*
> Through manual testing, I verified that HIVE applications can run
> successfully both before and after the configuration change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
