[
https://issues.apache.org/jira/browse/YARN-2477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14260745#comment-14260745
]
Eron Wright commented on YARN-2477:
------------------------------------
A key question here is whether it is necessary for the container to be capable
of Kerberos authentication. Considering how tasks primarily use delegation
tokens rather than Kerberos auth, the ability might not be important. A
valid scenario might be appmasters with Kerberized endpoints.
By running in a container, the application loses access to two relevant files
on the host filesystem: a) the /etc/krb5.conf file, and b) the installed JCE
policy files (which Abin alludes to). Those files may vary by environment and
are typically managed by Ambari/Cloudera Manager. On a), one solution is for
the DockerContainerExecutor to share /etc/krb5.conf into the container. On
b), I think it acceptable to defer the JCE issue and assume that the image will
contain the needed policy. I believe that the steps to install a JCE policy
vary by Linux distribution (some use 'alternatives').
> DockerContainerExecutor must support secure mode
> ------------------------------------------------
>
> Key: YARN-2477
> URL: https://issues.apache.org/jira/browse/YARN-2477
> Project: Hadoop YARN
> Issue Type: New Feature
> Reporter: Abin Shahab
> Labels: security
>
> DockerContainerExecutor(patch in YARN-1964) does not support Kerberized
> hadoop clusters yet, as Kerberized hadoop cluster has a strict dependency on
> the LinuxContainerExecutor.
> For Docker containers to be used in production environment, they must support
> secure hadoop. Issues regarding Java's AES encryption library in a
> containerized environment also need to be worked out.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
