[
https://issues.apache.org/jira/browse/YARN-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14037850#comment-14037850
]
Marcelo Vanzin commented on YARN-941:
-------------------------------------
[~ste...@apache.org], thanks for the comments, but I understand the part about
renewing the token. My question was more along the lines of: what prevents the
attacker from getting the new token and using it?
That's why I called it an "attack mitigation" feature. If an attacker gets a
token, that particular token is only usable for a period of time. But it
doesn't seem like there's anything that prevents the attack in the first place
- so if an attacker is able to get the first token, he is able to get any
future new tokens using exactly the same approach.
I understand that renewing tokens is needed for long-running processes. I'm
just trying to understand whether this is the right approach from a security
perspective, and if it's not, if it wouldn't be good to spend some time
thinking about a more secure way of exchanging these tokens.
> RM Should have a way to update the tokens it has for a running application
> --------------------------------------------------------------------------
>
> Key: YARN-941
> URL: https://issues.apache.org/jira/browse/YARN-941
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Robert Joseph Evans
> Assignee: Xuan Gong
> Attachments: YARN-941.preview.2.patch, YARN-941.preview.3.patch,
> YARN-941.preview.4.patch, YARN-941.preview.patch
>
>
> When an application is submitted to the RM it includes with it a set of
> tokens that the RM will renew on behalf of the application, that will be
> passed to the AM when the application is launched, and will be used when
> launching the application to access HDFS to download files on behalf of the
> application.
> For long lived applications/services these tokens can expire, and then the
> tokens that the AM has will be invalid, and the tokens that the RM had will
> also not work to launch a new AM.
> We need to provide an API that will allow the RM to replace the current
> tokens for this application with a new set. To avoid any real race issues, I
> think this API should be something that the AM calls, so that the client can
> connect to the AM with a new set of tokens it got using kerberos, then the AM
> can inform the RM of the new set of tokens and quickly update its tokens
> internally to use these new ones.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
