[
https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134415#comment-15134415
]
Steve Loughran commented on YARN-4653:
--------------------------------------
bq. Wonder how this works. Since container does not have keytab, so no kerberos
channel. What kind of authentication is this to get the delegation tokens
spark uses HTTPS here; AM has a keytab. I'll clarify that.
bq. RM will not refresh any delegation tokens on AM restart. It'll refresh
AMRM token for sure.
No? I'm thinking of all tokens supplied to the container launch context, the
ones needed for localization by the NN, and for other services the app needs
(e.g. ATS, Hive, ...). Doesn't the RM do those?
> Document YARN security model from the perspective of Application Developers
> ---------------------------------------------------------------------------
>
> Key: YARN-4653
> URL: https://issues.apache.org/jira/browse/YARN-4653
> Project: Hadoop YARN
> Issue Type: Task
> Components: site
> Affects Versions: 2.7.2
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Attachments: YARN-4653-001.patch, YARN-4653-002.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from
> distributed shell, with a bit of [ill-informed
> superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
> being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just
> link to the relevant bit of the distributed shell client on github for a
> guarantee of staying up to date?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
