JHSUYU commented on PR #8377: URL: https://github.com/apache/hadoop/pull/8377#issuecomment-4252335446
> @Hexiaoqiao, is this true? I suppose it only exposes the app owner's system credentials to the container It seems to me @pan3793 's understanding is correct for this specific code path (correct me if I am wrong). `systemCredentialsForApps` is a map keyed by ApplicationId. The proposed code uses the current container's applicationId to fetch only that application's credentials. That said, I agree that exposing systemCredentials to the container is not the right direction. The actual NM-side bug is that container re-initialization updates the ContainerLaunchContext but does not update ContainerImpl.credentials. As a result, even if the AM sends refreshed tokens, the relaunched container still writes the stale credentials from the original launch context. I suggest to update the container credentials from the reinit ContainerLaunchContext during reinitialization, and preserve/restore credentials correctly for rollback. This keeps systemCredentials scoped to NM-internal localization/log-aggregation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
