[
https://issues.apache.org/jira/browse/MAPREDUCE-5199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13662977#comment-13662977
]
Daryn Sharp commented on MAPREDUCE-5199:
----------------------------------------
bq. There are couple of other solutions to avoid tasks using the wrong token
for the AM-RM connection - like fixing the TokenSelector, but we can pursue
that separately to unblock you.
Yes, but while a good change, it would mask if an app token did happen to leak.
bq. Should downloadTokensAndSetupUGI be called as part of intAndStartAppMaster
itself, so that jobConf credentials population can be before the init.
Perhaps. In this patch I made the minimal change to ensure the app token is
stripped from the jobConf credentials.
bq. Rename downloadTokensAndSetupUGI to something like setupJobTokensAndUGI ?
I considered renaming it, but again was making the minimal changes to fix the
issue w/o disturbing apis to minimize risk. Can this be done as part of the
api cleanup? Note that it's more appropriate to call it something like
{{setupJobCredentialsAndUGI}} since it's really tokens + secrets.
Overall, despite all the confusion regarding the app token leaking, I made the
minimal change to satisfy this jira by removing the appTokens file. It
incidentally prevents the app token from getting smashed in a child AM _if_ it
does somehow manage to leak into a task. I think we really need to integrate
this patch while followup investigation determines if/how there's a larger
issue since it's technically out of scope of removing the appTokens.
> AppTokens file can/should be removed
> ------------------------------------
>
> Key: MAPREDUCE-5199
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-5199
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.0.0, 2.0.5-beta
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: MAPREDUCE-5199.patch
>
>
> All the required tokens are propagated to AMs and containers via
> startContainer(), no need for explicitly creating the app-token file that we
> have today..
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
