[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers

Sat, 06 Feb 2016 17:59:00 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15136094#comment-15136094
 ] 

Jian He commented on YARN-4653:
-------------------------------

bq. what about the tokens supplied to the container launch context for the 
container to start at all?
sorry, not sure i understand what you mean. in case of MR, any tokens in the 
containerLaunchContext(supplied by user) will remain the same. Those tokens are 
not refreshed and will expire eventually.  The hdfs token used for localization 
is indeed refreshed - RM requests a new token on user's behalf and distributes 
that to NM's localization service. Tokens for any other services (ATS, Hive) 
supplied by user are not refreshed 

The patch looks good. Only my earlier comment :
I tried to compile the html file and find that below has some format problem. 
Only the first line is recognized as the title. 
{code}
### AM keytab distributed via YARN; AM regenerates delegation
336     tokens for containers.
{code}

> Document YARN security model from the perspective of Application Developers
> ---------------------------------------------------------------------------
>
>                 Key: YARN-4653
>                 URL: https://issues.apache.org/jira/browse/YARN-4653
>             Project: Hadoop YARN
>          Issue Type: Task
>          Components: site
>    Affects Versions: 2.7.2
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>         Attachments: YARN-4653-001.patch, YARN-4653-002.patch, 
> YARN-4653-003.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from 
> distributed shell, with a bit of [ill-informed 
> superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
>  being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just 
> link to the relevant bit of the distributed shell client on github for a 
> guarantee of staying up to date?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to