[ 
https://issues.apache.org/jira/browse/YARN-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14002420#comment-14002420
 ] 

Xuan Gong commented on YARN-941:
--------------------------------

That is fine. 
This proposal is only focused on updating AMRMToken for Long Running Service.

Proposal:
1. From RM side, specifically, AMRMTokenSecretManager:
We need to roll-up AMRMToken periodically. We have two parameters which can 
temporary save the currenMasterKey and nextMasterKey. And Have a thread which 
will periodically activate the nextMasterKey (Basically replace 
currentMasterKey with nextMasterKey). When we need to retrieve the password to 
do the authentication, we can compare the key_id to get the correct password. 

2. ApplicationMasterService:
Everytime, when the AMRMToken has been rolled-up, we can inform the AM with the 
regular heartbeat process. Also, we need to save the AMRMToken into the 
RMStateStore if it has been updated.

3. AMRMClient:
When the AM gets the latest AMRMToken, it will update the token.


> RM Should have a way to update the tokens it has for a running application
> --------------------------------------------------------------------------
>
>                 Key: YARN-941
>                 URL: https://issues.apache.org/jira/browse/YARN-941
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Robert Joseph Evans
>            Assignee: Xuan Gong
>
> When an application is submitted to the RM it includes with it a set of 
> tokens that the RM will renew on behalf of the application, that will be 
> passed to the AM when the application is launched, and will be used when 
> launching the application to access HDFS to download files on behalf of the 
> application.
> For long lived applications/services these tokens can expire, and then the 
> tokens that the AM has will be invalid, and the tokens that the RM had will 
> also not work to launch a new AM.
> We need to provide an API that will allow the RM to replace the current 
> tokens for this application with a new set.  To avoid any real race issues, I 
> think this API should be something that the AM calls, so that the client can 
> connect to the AM with a new set of tokens it got using kerberos, then the AM 
> can inform the RM of the new set of tokens and quickly update its tokens 
> internally to use these new ones.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to