[ 
https://issues.apache.org/jira/browse/YARN-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14003796#comment-14003796
 ] 

Marcelo Vanzin commented on YARN-941:
-------------------------------------

Apologies for jumping in the middle of the conversation. I don't have a lot of 
background into the Yarn code here, but from this bug and some internal 
discussions I have a question for people who are more familiar with this code:

What is the purpose of this renewal mechanism?

So far it seems to me that it's an attack mitigation feature. An attacker who 
is able to get the token would only be able to use it while the original 
application (i) is running and (ii) keeps renewing the token.

if that's true, it sounds to me like the problem is actually that it's possible 
to sniff the token in the first place. Wouldn't it be better, at that point, to 
have a protocol that doesn't allow that? Either using full-blown encryption for 
the RPC channels, or if that's deemed too expensive, some mechanism where 
tokens are negotiated instead of sent in plain text over the wire.

> RM Should have a way to update the tokens it has for a running application
> --------------------------------------------------------------------------
>
>                 Key: YARN-941
>                 URL: https://issues.apache.org/jira/browse/YARN-941
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Robert Joseph Evans
>            Assignee: Xuan Gong
>         Attachments: YARN-941.preview.2.patch, YARN-941.preview.3.patch, 
> YARN-941.preview.patch
>
>
> When an application is submitted to the RM it includes with it a set of 
> tokens that the RM will renew on behalf of the application, that will be 
> passed to the AM when the application is launched, and will be used when 
> launching the application to access HDFS to download files on behalf of the 
> application.
> For long lived applications/services these tokens can expire, and then the 
> tokens that the AM has will be invalid, and the tokens that the RM had will 
> also not work to launch a new AM.
> We need to provide an API that will allow the RM to replace the current 
> tokens for this application with a new set.  To avoid any real race issues, I 
> think this API should be something that the AM calls, so that the client can 
> connect to the AM with a new set of tokens it got using kerberos, then the AM 
> can inform the RM of the new set of tokens and quickly update its tokens 
> internally to use these new ones.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to