[jira] [Commented] (YARN-11922) ResourceManager not update SecretManager keysize immediately if recovery is on

Tue, 20 Jan 2026 09:09:19 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-11922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18053095#comment-18053095
 ] 

ASF GitHub Bot commented on YARN-11922:
---------------------------------------

K0K0V0K commented on PR #8194:
URL: https://github.com/apache/hadoop/pull/8194#issuecomment-3774006084

   The 2 failing test:
   
   ```
   [ERROR] Tests run: 12, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 
114.0 s <<< FAILURE! 

> ResourceManager not update SecretManager keysize immediately if recovery is on
> ------------------------------------------------------------------------------
>
>                 Key: YARN-11922
>                 URL: https://issues.apache.org/jira/browse/YARN-11922
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.5.0
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Minor
>              Labels: pull-request-available
>
> *Problem Statement:*
> I have a scenario where I need to migrate a YARN cluster to a FIPS 
> 140-3–compatible environment.
> For this, the AMRMTokenSecretManager must use secrets that are at least 112 
> bits long. By default, the secret length is 64 bits. When I modify the key 
> size and restart the cluster with recovery enabled, the state store reloads 
> the old secret, which has a default lifetime of 24 hours. As a result, even 
> though the cluster is configured to operate in FIPS 140-3–compatible mode, it 
> continues to use a non-compliant secret.
>  
> *Solution:*
> When the ResourceManager recovers, it should validate the secret size stored 
> in the state store. If the stored secret size differs from the configured 
> value, the secret should be forcibly regenerated and updated.
>  
> *Tested:*
> Through manual testing, I verified that HIVE applications can run 
> successfully both before and after the configuration change.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to