[jira] [Commented] (YARN-11922) ResourceManager not update SecretManager keysize immediately if recovery is on

Mon, 26 Jan 2026 10:24:07 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-11922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18054418#comment-18054418
 ] 

ASF GitHub Bot commented on YARN-11922:
---------------------------------------

brumi1024 commented on PR #8194:
URL: https://github.com/apache/hadoop/pull/8194#issuecomment-3801058851

   Thanks @K0K0V0K for the patch, @p-szucs @Hean-Chhinling for the review. 
@K0K0V0K please fix the last checkstyle issue, other than that LGTM from my 
side.




> ResourceManager not update SecretManager keysize immediately if recovery is on
> ------------------------------------------------------------------------------
>
>                 Key: YARN-11922
>                 URL: https://issues.apache.org/jira/browse/YARN-11922
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.5.0
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Minor
>              Labels: pull-request-available
>
> *Problem Statement:*
> I have a scenario where I need to migrate a YARN cluster to a FIPS 
> 140-3–compatible environment.
> For this, the AMRMTokenSecretManager must use secrets that are at least 112 
> bits long. By default, the secret length is 64 bits. When I modify the key 
> size and restart the cluster with recovery enabled, the state store reloads 
> the old secret, which has a default lifetime of 24 hours. As a result, even 
> though the cluster is configured to operate in FIPS 140-3–compatible mode, it 
> continues to use a non-compliant secret.
>  
> *Solution:*
> When the ResourceManager recovers, it should validate the secret size stored 
> in the state store. If the stored secret size differs from the configured 
> value, the secret should be forcibly regenerated and updated.
>  
> *Tested:*
> Through manual testing, I verified that HIVE applications can run 
> successfully both before and after the configuration change.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to