[ https://issues.apache.org/jira/browse/MAPREDUCE-5199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13659840#comment-13659840 ]
Vinod Kumar Vavilapalli commented on MAPREDUCE-5199: ---------------------------------------------------- bq. The referenced jiras add the app token to the launch context, which causes the app token to leak to the task. When the task launches a child job, it dumps out its credentials (including the leaked app token) to the appTokens file. That's not true either. Even after the referred patches, the only tokens that are passed to tasks are MR specific JobToken and FSTokens (See TaskImpl constructor and where the credentials field coming from - from job.fsTokens which is from MRAppMaster.fsTokens which only has tokens from the AppTokensFile which *does not* have the AMRMToken). The patches only add the AMRMToken to MRAppMaster's UGI. Which isn't what Tasks are given via the launch-context. I am clearly missing something. Let me run it through Sid too who equally understands this code well. > AppTokens file can/should be removed > ------------------------------------ > > Key: MAPREDUCE-5199 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-5199 > Project: Hadoop Map/Reduce > Issue Type: Sub-task > Components: security > Affects Versions: 3.0.0, 2.0.5-beta > Reporter: Vinod Kumar Vavilapalli > Assignee: Daryn Sharp > Priority: Blocker > Attachments: MAPREDUCE-5199.patch > > > All the required tokens are propagated to AMs and containers via > startContainer(), no need for explicitly creating the app-token file that we > have today.. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira