[jira] [Resolved] (YARN-1841) YARN ignores/overrides explicit security settings

Mon, 17 Mar 2014 12:42:04 -0700 

     [ 
https://issues.apache.org/jira/browse/YARN-1841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daryn Sharp resolved YARN-1841.
-------------------------------

    Resolution: Not A Problem

Oleg, the authentication config setting specifies the _external authentication_ 
for client visible services.  Ie. The NN, RM, etc.  The _internal 
authentication_ within the yarn framework is an implementation detail 
independent of the config auth method.  Yarn does not need to log a warning or 
exception for its internal design.

I think you are naively looking at this from the viewpoint of "simple" auth.  
Consider kerberos auth.  The AM, NM, tasks, etc cannot use kerberos to 
authenticate.  Even if they could, the token is used to securely sign and 
transport tamper resistant values.  Always using tokens prevents the dreaded 
"why does this AM/etc break with security enabled"?  After using the configured 
auth for job submission, the code path within yarn is common and the internal 
auth is of no concern to the user.

There is no design problem, the api is transparently based on the token + rpc 
layer meshing to securely transport (whether simple or kerberos auth) the 
identity and resources requirements between processes. 

Feel free to ask Vinod or I questions offline to come up to speed on hadoop & 
yarn's security.

> YARN ignores/overrides explicit security settings
> -------------------------------------------------
>
>                 Key: YARN-1841
>                 URL: https://issues.apache.org/jira/browse/YARN-1841
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.3.0
>            Reporter: Oleg Zhurakousky
>
> core-site.xml explicitly sets authentication as SIMPLE
> {code}
>  <property>
>     <name>hadoop.security.authentication</name>
>     <value>simple</value>
>     <description>Simple authentication</description>
>   </property>
> {code}
> However any attempt to register ApplicationMaster on the remote YARN cluster 
> results in 
> {code}
> org.apache.hadoop.security.AccessControlException: SIMPLE authentication is 
> not enabled.  Available:[TOKEN]
> . . .
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to