Eron Wright  commented on YARN-2477:

A key question here is whether it is necessary for the container to be capable 
of Kerberos authentication.   Considering how tasks primarily use delegation 
tokens rather than Kerberos auth, the ability might not be important.    A 
valid scenario might be appmasters with Kerberized endpoints.

By running in a container, the application loses access to two relevant files 
on the host filesystem: a) the /etc/krb5.conf file, and b) the installed JCE 
policy files (which Abin alludes to).  Those files may vary by environment and 
are typically managed by Ambari/Cloudera Manager.  On a), one solution is for 
the DockerContainerExecutor to share /etc/krb5.conf into the container.    On 
b), I think it acceptable to defer the JCE issue and assume that the image will 
contain the needed policy.  I believe that the steps to install a JCE policy 
vary by Linux distribution (some use 'alternatives').

> DockerContainerExecutor must support secure mode
> ------------------------------------------------
>                 Key: YARN-2477
>                 URL: https://issues.apache.org/jira/browse/YARN-2477
>             Project: Hadoop YARN
>          Issue Type: New Feature
>            Reporter: Abin Shahab
>              Labels: security
> DockerContainerExecutor(patch in YARN-1964) does not support Kerberized 
> hadoop clusters yet, as Kerberized hadoop cluster has a strict dependency on 
> the LinuxContainerExecutor. 
> For Docker containers to be used in production environment, they must support 
> secure hadoop. Issues regarding Java's AES encryption library in a 
> containerized environment also need to be worked out.

This message was sent by Atlassian JIRA

Reply via email to