[ https://issues.apache.org/jira/browse/MAPREDUCE-5199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13662977#comment-13662977 ]
Daryn Sharp commented on MAPREDUCE-5199: ---------------------------------------- bq. There are couple of other solutions to avoid tasks using the wrong token for the AM-RM connection - like fixing the TokenSelector, but we can pursue that separately to unblock you. Yes, but while a good change, it would mask if an app token did happen to leak. bq. Should downloadTokensAndSetupUGI be called as part of intAndStartAppMaster itself, so that jobConf credentials population can be before the init. Perhaps. In this patch I made the minimal change to ensure the app token is stripped from the jobConf credentials. bq. Rename downloadTokensAndSetupUGI to something like setupJobTokensAndUGI ? I considered renaming it, but again was making the minimal changes to fix the issue w/o disturbing apis to minimize risk. Can this be done as part of the api cleanup? Note that it's more appropriate to call it something like {{setupJobCredentialsAndUGI}} since it's really tokens + secrets. Overall, despite all the confusion regarding the app token leaking, I made the minimal change to satisfy this jira by removing the appTokens file. It incidentally prevents the app token from getting smashed in a child AM _if_ it does somehow manage to leak into a task. I think we really need to integrate this patch while followup investigation determines if/how there's a larger issue since it's technically out of scope of removing the appTokens. > AppTokens file can/should be removed > ------------------------------------ > > Key: MAPREDUCE-5199 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-5199 > Project: Hadoop Map/Reduce > Issue Type: Sub-task > Components: security > Affects Versions: 3.0.0, 2.0.5-beta > Reporter: Vinod Kumar Vavilapalli > Assignee: Daryn Sharp > Priority: Blocker > Attachments: MAPREDUCE-5199.patch > > > All the required tokens are propagated to AMs and containers via > startContainer(), no need for explicitly creating the app-token file that we > have today.. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira