Marcelo Vanzin commented on YARN-941:

[~ste...@apache.org], thanks for the comments, but I understand the part about 
renewing the token. My question was more along the lines of: what prevents the 
attacker from getting the new token and using it?

That's why I called it an "attack mitigation" feature. If an attacker gets a 
token, that particular token is only usable for a period of time. But it 
doesn't seem like there's anything that prevents the attack in the first place 
- so if an attacker is able to get the first token, he is able to get any 
future new tokens using exactly the same approach.

I understand that renewing tokens is needed for long-running processes. I'm 
just trying to understand whether this is the right approach from a security 
perspective, and if it's not, if it wouldn't be good to spend some time 
thinking about a more secure way of exchanging these tokens.

> RM Should have a way to update the tokens it has for a running application
> --------------------------------------------------------------------------
>                 Key: YARN-941
>                 URL: https://issues.apache.org/jira/browse/YARN-941
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Robert Joseph Evans
>            Assignee: Xuan Gong
>         Attachments: YARN-941.preview.2.patch, YARN-941.preview.3.patch, 
> YARN-941.preview.4.patch, YARN-941.preview.patch
> When an application is submitted to the RM it includes with it a set of 
> tokens that the RM will renew on behalf of the application, that will be 
> passed to the AM when the application is launched, and will be used when 
> launching the application to access HDFS to download files on behalf of the 
> application.
> For long lived applications/services these tokens can expire, and then the 
> tokens that the AM has will be invalid, and the tokens that the RM had will 
> also not work to launch a new AM.
> We need to provide an API that will allow the RM to replace the current 
> tokens for this application with a new set.  To avoid any real race issues, I 
> think this API should be something that the AM calls, so that the client can 
> connect to the AM with a new set of tokens it got using kerberos, then the AM 
> can inform the RM of the new set of tokens and quickly update its tokens 
> internally to use these new ones.

This message was sent by Atlassian JIRA

Reply via email to