[jira] [Updated] (MAPREDUCE-3256) Authorization checks needed for AM->NM protocol

[Arun C Murthy (Updated) (JIRA)]

     [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arun C Murthy updated MAPREDUCE-3256:
-------------------------------------

    Status: Open  (was: Patch Available)

Vinod, with this patch I'm seeing issues on a secure cluster:

{noformat}

Container launch failed for container_1319838127023_0002_01_000032 : 
RemoteTrace: 
 at LocalTrace: 
        org.apache.hadoop.yarn.exceptions.impl.pb.YarnRemoteExceptionPBImpl: 
Unauthorized request to start container. 
Expected containerId: container_1319838127023_0002_01_000017 Found: 
container_1319838127023_0002_01_000032
        at 
org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:151)
        at $Proxy20.startContainer(Unknown Source)
        at 
org.apache.hadoop.yarn.api.impl.pb.client.ContainerManagerPBClientImpl.startContainer(ContainerManagerPBClientImpl.java:81)
        at 
org.apache.hadoop.mapreduce.v2.app.launcher.ContainerLauncherImpl$EventProcessor.run(ContainerLauncherImpl.java:278)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)
{noformat}
                
> Authorization checks needed for AM->NM protocol
> -----------------------------------------------
>
>                 Key: MAPREDUCE-3256
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3256
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: applicationmaster, mrv2, nodemanager, security
>    Affects Versions: 0.23.0
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Vinod Kumar Vavilapalli
>            Priority: Blocker
>             Fix For: 0.23.0
>
>         Attachments: MAPREDUCE-3256-20111028.1.txt, 
> MAPREDUCE-3256-20111028.2.txt, MAPREDUCE-3256-20111028.2_same
>
>
> We already authenticate requests to NM from any AM. We also need to authorize 
> the requests, otherwise a rogue AM, *but with proper tokens and thus 
> authenticated to talk to NM*, could either launch or kill a container with 
> different ContainerID. We have two options:
>  - Remove the explicit passing of the ContainerId as part of the API and 
> instead get it from the RPC layer. In this case, we will need a 
> ContainerToken for each container.
>  - Do explicit authorization checks without relying on getting ContainerID 
> from the RPC.
> One ContainerToken per container is a serious restriction. We anyways want to 
> be able to use application-ACLS to, say, stop containers owned by others. So 
> I am going to take the later route of explicit checks.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira