[
https://issues.apache.org/jira/browse/MAPREDUCE-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13288952#comment-13288952
]
Siddharth Seth commented on MAPREDUCE-3940:
-------------------------------------------
bq. The ContainerTokenSecretManager appears to be using a hardcoded secret of
mySecretKey?
That's fixed in MAPREDUCE-3943.
bq. Secret managers usually handle the expiration internally to prevent
tampering, but the token ident includes the expiry. Combined with the prior
point, is it possible to fabricate tokens for any host with any expiration?
Given the hardcoded secret, that's possible. Again, 3943 fixes this.
bq. The secret manager usually validates the token & expiration, but here it
appears the container manager itself is trying to do it? Does this mean there's
no SASL level token check occurring?
The secret manager continues to validate parts of token. Expiry is done outside
since that's only required for the startContainer call.
bq. The UGI is the container id instead of the job's submitter?
That's used to ensure that the RM did allocate the specific container.
bq. The schedulers (fifo & leaf) and secret manager interaction seem
inconsistent with the other implementations. Token(ident, secretManager) seems
to be the preferred way to create tokens.
The token identifier and signature are generated by the RM - serialized using
PB and then uesd by the AM to communicate with the node manager. The AM
generates the Token from the PB message. The RM doesn't really need to create
it.
> ContainerTokens should have an expiry interval
> ----------------------------------------------
>
> Key: MAPREDUCE-3940
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3940
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: mrv2, security
> Affects Versions: 0.23.0
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Vinod Kumar Vavilapalli
> Attachments: MAPREDUCE-3940-20120308.txt,
> MAPREDUCE-3940-20120416.txt, MAPREDUCE-3940-20120425.txt, MR3940.txt,
> MR3940.txt
>
>
> - RM should generate the expiry time for a container
> - A ContainerToken should have its expire time encoded
> - NMs should reject containers with expired tokens.
> - Expiry interval for a ContainerToken is same as the expiry interval for a
> container.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
