[
https://issues.apache.org/jira/browse/MAPREDUCE-5199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13661043#comment-13661043
]
Daryn Sharp commented on MAPREDUCE-5199:
----------------------------------------
The issue stems from {{conf.getCredentials().addAll(credentials)}}. Conf is a
JobConf, and credentials is obtained via the login UGI. These credentials
include the app token so by propagating them into the jobConf, the tasks
acquire the app token.
When the task submits a job, the submission writes out the appTokens file which
now includes the leaked app token. The child job's AM reads in the file, adds
it to its credentials, thus clobbering its own app token.
We've successfully tested the patch on a secure cluster. The app token no
longer leaks to the task.
> AppTokens file can/should be removed
> ------------------------------------
>
> Key: MAPREDUCE-5199
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-5199
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.0.0, 2.0.5-beta
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: MAPREDUCE-5199.patch
>
>
> All the required tokens are propagated to AMs and containers via
> startContainer(), no need for explicitly creating the app-token file that we
> have today..
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
