[
https://issues.apache.org/jira/browse/MAPREDUCE-5199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13659840#comment-13659840
]
Vinod Kumar Vavilapalli commented on MAPREDUCE-5199:
----------------------------------------------------
bq. The referenced jiras add the app token to the launch context, which causes
the app token to leak to the task. When the task launches a child job, it dumps
out its credentials (including the leaked app token) to the appTokens file.
That's not true either. Even after the referred patches, the only tokens that
are passed to tasks are MR specific JobToken and FSTokens (See TaskImpl
constructor and where the credentials field coming from - from job.fsTokens
which is from MRAppMaster.fsTokens which only has tokens from the AppTokensFile
which *does not* have the AMRMToken).
The patches only add the AMRMToken to MRAppMaster's UGI. Which isn't what Tasks
are given via the launch-context.
I am clearly missing something. Let me run it through Sid too who equally
understands this code well.
> AppTokens file can/should be removed
> ------------------------------------
>
> Key: MAPREDUCE-5199
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-5199
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.0.0, 2.0.5-beta
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: MAPREDUCE-5199.patch
>
>
> All the required tokens are propagated to AMs and containers via
> startContainer(), no need for explicitly creating the app-token file that we
> have today..
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
