Hexiaoqiao commented on PR #8377:
URL: https://github.com/apache/hadoop/pull/8377#issuecomment-4251035674

   Sorry -1 from my side. 
   Security issues will be introduced if we expose `SystemCredentials` to 
container. IIUC, the original purpose of `SystemCredentials` is only for 
inner-NM to localize or log aggregate, it may include many tokens for different 
users, This PR try to expose these credentials to end users (or we say new 
container), it will enlarge permissions which is unauthorized.
   
   For long running application, I think one feasible solution is to increase 
lifetime of time at HDFS side or allow special user(such as YARN) to renew 
token which over lifetime. welcome more discussion.
   
   Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to