[ https://issues.apache.org/jira/browse/MAPREDUCE-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13170289#comment-13170289 ]
Hudson commented on MAPREDUCE-3251: ----------------------------------- Integrated in Hadoop-Mapreduce-trunk #928 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/928/]) MAPREDUCE-3251. Network ACLs can prevent some clients to talk to MR ApplicationMaster (Anupam Seth via mahadev) mahadev : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1214662 Files : * /hadoop/common/trunk/hadoop-mapreduce-project/CHANGES.txt * /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/ClientServiceDelegate.java * /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/test/java/org/apache/hadoop/mapred/TestClientServiceDelegate.java * /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java * /hadoop/common/trunk/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/resources/yarn-default.xml > Network ACLs can prevent some clients to talk to MR ApplicationMaster > --------------------------------------------------------------------- > > Key: MAPREDUCE-3251 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-3251 > Project: Hadoop Map/Reduce > Issue Type: Task > Components: mrv2 > Affects Versions: 0.23.0 > Reporter: Anupam Seth > Assignee: Anupam Seth > Priority: Critical > Fix For: 0.23.1 > > Attachments: MAPREDUCE-3251-branch_0_23.patch, > MAPREDUCE-3251-branch_0_23.patch, MAPREDUCE-3251-branch_0_23.patch, > MAPREDUCE-3251-branch_0_23.patch, MAPREDUCE-3251_branch-0_23_preliminary.txt > > > In 0.20.xxx, the JobClient while polling goes to JT to get the job status. > With YARN, AM can be launched on any port and the client will have to have > ACL open to that port to talk to AM and get the job status. When the client > is within the same grid network access to AM is not a problem. But some > applications may have one installation per set of clusters and may launch > jobs even across such sets (on job trackers in another set of clusters). For > that to work only the JT port needs to be open currently. In case of YARN, > all ports will have to be opened up for things to work. That would be a > security no-no. > There are two possible solutions: > 1) Make the job client only talk to RM (as an option) to get the job > status. > 2) Limit the range of ports AM can listen on. > Option 2) may not be favorable as there is no direct OS API to find a free > port. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira