[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15146460#comment-15146460 ] Hudson commented on YARN-4653: -- FAILURE: Integrated in Hadoop-trunk-Commit #9302 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/9302/]) YARN-4653. Document YARN security model from the perspective of (jianhe: rev dea90c9a86d0b17f36d0bdf24ca0c789dd1de2b6) * hadoop-project/src/site/site.xml * hadoop-yarn-project/CHANGES.txt * hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/YarnApplicationSecurity.md > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Attachments: YARN-4653-001.patch, YARN-4653-002.patch, > YARN-4653-003.patch, YARN-4653-004.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[
https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15140828#comment-15140828
]
Hadoop QA commented on YARN-4653:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s
{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 8s
{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 27s
{color} | {color:green} trunk passed {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s
{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 24s
{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 15 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s
{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
24s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 3m 11s {color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Image:yetus/hadoop:0ca8df7 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12787262/YARN-4653-004.patch |
| JIRA Issue | YARN-4653 |
| Optional Tests | asflicense mvnsite xml |
| uname | Linux d24823a12d87 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed
Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh
|
| git revision | trunk / e9a6226 |
| whitespace |
https://builds.apache.org/job/PreCommit-YARN-Build/10545/artifact/patchprocess/whitespace-eol.txt
|
| modules | C: hadoop-project
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site U: . |
| Max memory used | 52MB |
| Console output |
https://builds.apache.org/job/PreCommit-YARN-Build/10545/console |
| Powered by | Apache Yetus 0.2.0-SNAPSHOT http://yetus.apache.org |
This message was automatically generated.
> Document YARN security model from the perspective of Application Developers
> ---
>
> Key: YARN-4653
> URL: https://issues.apache.org/jira/browse/YARN-4653
> Project: Hadoop YARN
> Issue Type: Task
> Components: site
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Assignee: Steve Loughran
> Attachments: YARN-4653-001.patch, YARN-4653-002.patch,
> YARN-4653-003.patch, YARN-4653-004.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from
> distributed shell, with a bit of [ill-informed
> superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
> being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just
> link to the relevant bit of the distributed shell client on github for a
> guarantee of staying up to date?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15140742#comment-15140742 ] Steve Loughran commented on YARN-4653: -- ok, to confirm then # the token handed off by the RM to the NM to localize is refreshed/updated as needed. # no tokens in the app launch context are refreshed. That is, if it has an out of date hdfs token —that token is not renewed # therefore, to survive AM restart after token failure, your AM has to get the NMs to localize the keytab or make no HDFS accesses until (somehow) a new token has been passed to them from a client. This is what I will say > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Attachments: YARN-4653-001.patch, YARN-4653-002.patch, > YARN-4653-003.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[
https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15136094#comment-15136094
]
Jian He commented on YARN-4653:
---
bq. what about the tokens supplied to the container launch context for the
container to start at all?
sorry, not sure i understand what you mean. in case of MR, any tokens in the
containerLaunchContext(supplied by user) will remain the same. Those tokens are
not refreshed and will expire eventually. The hdfs token used for localization
is indeed refreshed - RM requests a new token on user's behalf and distributes
that to NM's localization service. Tokens for any other services (ATS, Hive)
supplied by user are not refreshed
The patch looks good. Only my earlier comment :
I tried to compile the html file and find that below has some format problem.
Only the first line is recognized as the title.
{code}
### AM keytab distributed via YARN; AM regenerates delegation
336 tokens for containers.
{code}
> Document YARN security model from the perspective of Application Developers
> ---
>
> Key: YARN-4653
> URL: https://issues.apache.org/jira/browse/YARN-4653
> Project: Hadoop YARN
> Issue Type: Task
> Components: site
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Assignee: Steve Loughran
> Attachments: YARN-4653-001.patch, YARN-4653-002.patch,
> YARN-4653-003.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from
> distributed shell, with a bit of [ill-informed
> superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
> being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just
> link to the relevant bit of the distributed shell client on github for a
> guarantee of staying up to date?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135923#comment-15135923 ] Steve Loughran commented on YARN-4653: -- I know the apps need to sort out their own tokens; I've tried to explain that in the long lived services bit. I'm wondering about: what about the tokens supplied to the container launch context for the container to start at all? > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Attachments: YARN-4653-001.patch, YARN-4653-002.patch, > YARN-4653-003.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[
https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135658#comment-15135658
]
Jian He commented on YARN-4653:
---
Below title has some format issue. they need to be at the same line.
{code}
5 ### AM keytab distributed via YARN; AM regenerates delegation
336 tokens for containers.
{code}
bq. No? I'm thinking of all tokens supplied to the container launch context,
I think not. The delegation tokens will be kept renewed by the
DelegationTokenRenewer thread every 24 hrs. AM keeps using the same token until
the token expired after 7 days.
bq. What should an app do in terms of running anything in its own process to
refresh/renew tokens?
IIUC, Renew will be done by the DelegationTokenRenewer thread in RM
automatically every 24 hr until the final expiration (7 days). After that AM
has to get a new token in some way to run beyond 7 days. Or just using keytabs,
instead of delegation token like you mentioned.
> Document YARN security model from the perspective of Application Developers
> ---
>
> Key: YARN-4653
> URL: https://issues.apache.org/jira/browse/YARN-4653
> Project: Hadoop YARN
> Issue Type: Task
> Components: site
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Assignee: Steve Loughran
> Attachments: YARN-4653-001.patch, YARN-4653-002.patch,
> YARN-4653-003.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from
> distributed shell, with a bit of [ill-informed
> superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
> being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just
> link to the relevant bit of the distributed shell client on github for a
> guarantee of staying up to date?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134415#comment-15134415 ] Steve Loughran commented on YARN-4653: -- bq. Wonder how this works. Since container does not have keytab, so no kerberos channel. What kind of authentication is this to get the delegation tokens spark uses HTTPS here; AM has a keytab. I'll clarify that. bq. RM will not refresh any delegation tokens on AM restart. It'll refresh AMRM token for sure. No? I'm thinking of all tokens supplied to the container launch context, the ones needed for localization by the NN, and for other services the app needs (e.g. ATS, Hive, ...). Doesn't the RM do those? > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Attachments: YARN-4653-001.patch, YARN-4653-002.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15133509#comment-15133509 ] Jian He commented on YARN-4653: --- Thanks Steve !Great material ! Some questions/comments I have bq. It is the responsibility of the application to renew all tokens other than the AMRM and timeline tokens. I personally feel here the 'renew' word is a bit confusing. Two kinds of 'renew' we have. 1) Before tokens' final expiration, tokens submitted via applicaionSubmissionContext are automatically renewed by DelegationTokenRenwer in RM. 2) After the token final expiration, application has to re-renew(or 're-fetch') the token by themselves. Should we clarify these two? bq. The AM must implement an IPC interface which permits containers to request a new set of delegation tokens; this interface must itself use authentication and ideally wire encryption. Wonder how this works. Since container does not have keytab, so no kerberos channel. What kind of authentication is this to get the delegation tokens ? bq. Before a delegation token is due to expire, the processes running in the containers must request new tokens from the Application Master, over the IPC channel. Not clear to me how this works. Say, if container wants to get a new hdfs delegation token, how does it get the new hdfs delegation token from AM? Is it because AM gets a new hdfs delegation token in the first place which then passed to container when container asks for it? bq. Because the RM refreshes tokens on AM restart, Correct me if I'm wrong, RM will not refresh any delegation tokens on AM restart. It'll refresh AMRM token for sure. bq. A thread or executor is started to renew threads on a regular basis. should it be "is started to renew 'tokens' " ? > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Attachments: YARN-4653-001.patch, YARN-4653-002.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15126453#comment-15126453 ] Steve Loughran commented on YARN-4653: -- Rendered doc is at : https://github.com/steveloughran/hadoop/blob/HADOOP-12649-security/YARN-4653-yarn/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/YarnApplicationSecurity.md > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Attachments: YARN-4653-001.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[
https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15126391#comment-15126391
]
Hadoop QA commented on YARN-4653:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s
{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s
{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 24s
{color} | {color:green} trunk passed {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 13s
{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 24s
{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 17 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 0s
{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
18s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 1m 52s {color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Image:yetus/hadoop:0ca8df7 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12785533/YARN-4653-001.patch |
| JIRA Issue | YARN-4653 |
| Optional Tests | asflicense mvnsite xml |
| uname | Linux ac13bc823499 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed
Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh
|
| git revision | trunk / 8f2622b |
| whitespace |
https://builds.apache.org/job/PreCommit-YARN-Build/10458/artifact/patchprocess/whitespace-eol.txt
|
| modules | C: hadoop-project
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site U: . |
| Max memory used | 29MB |
| Powered by | Apache Yetus 0.2.0-SNAPSHOT http://yetus.apache.org |
| Console output |
https://builds.apache.org/job/PreCommit-YARN-Build/10458/console |
This message was automatically generated.
> Document YARN security model from the perspective of Application Developers
> ---
>
> Key: YARN-4653
> URL: https://issues.apache.org/jira/browse/YARN-4653
> Project: Hadoop YARN
> Issue Type: Task
> Components: site
>Affects Versions: 2.7.2
>Reporter: Steve Loughran
>Assignee: Steve Loughran
> Attachments: YARN-4653-001.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> What YARN apps need to do for security today is generally copied direct from
> distributed shell, with a bit of [ill-informed
> superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
> being the sole prose.
> We need a normative document in the YARN site covering
> # the needs for YARN security
> # token creation for AM launch
> # how the RM gets involved
> # token propagation on container launch
> # token renewal strategies
> # How to get tokens for other apps like HBase and Hive.
> # how to work under OOzie
> Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just
> link to the relevant bit of the distributed shell client on github for a
> guarantee of staying up to date?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-4653) Document YARN security model from the perspective of Application Developers
[ https://issues.apache.org/jira/browse/YARN-4653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123315#comment-15123315 ] Steve Loughran commented on YARN-4653: -- thanks for the link ... hadn't seen that. nice. That's a document which should be linked to, ideally even pulled into the hadoop site I'm doing something less ambitious but equally important: explain to application developers what they need. I'll change the title accordingly > Document YARN security model from the perspective of Application Developers > --- > > Key: YARN-4653 > URL: https://issues.apache.org/jira/browse/YARN-4653 > Project: Hadoop YARN > Issue Type: Task > Components: site >Affects Versions: 2.7.2 >Reporter: Steve Loughran >Assignee: Steve Loughran > Original Estimate: 2h > Remaining Estimate: 2h > > What YARN apps need to do for security today is generally copied direct from > distributed shell, with a bit of [ill-informed > superstition|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html] > being the sole prose. > We need a normative document in the YARN site covering > # the needs for YARN security > # token creation for AM launch > # how the RM gets involved > # token propagation on container launch > # token renewal strategies > # How to get tokens for other apps like HBase and Hive. > # how to work under OOzie > Perhaps the WritingYarnApplications.md doc is updated, otherwise why not just > link to the relevant bit of the distributed shell client on github for a > guarantee of staying up to date? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
