[ https://issues.apache.org/jira/browse/YARN-613?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vinod Kumar Vavilapalli reopened YARN-613: ------------------------------------------ Assignee: Vinod Kumar Vavilapalli I wanted to do it all together at YARN-571, but in retrospect, I think we should keep it separate. Here's my proposal - Use the AMToken(today called ApplicationToken, but it is per AM/ApplicationAttemptId) for authentication to the NM. Due to this, we only need to create one connection per NM. So, we will no longer need to latch onto ContainerTokens for the sake of {{stopContainer()/getContainerStatus()}} - Add authorization checks also for {{stopContainer()/getContainerStatus()}} - today there are none. - Use ContainerToken for authorization of {{startContainer()}} irrespective of security like I proposed on YARN-617. - Today we have authentication based on ContainerTokens for {{stopContainer()/getContainerStatus()}}, but not authorization. Once we authenticate based on AMTokens, they become automatically accessible to users (YARN-575 will be a duplicate) without latching onto ContainerTokens for long times. We just need to add more authorization checks for these two RPCs. - One catch is AM restart - thanks to [~bikassaha] for bringing this up offline. If AM restarts, it will get a new AMToken, will be successfully able to authenticate to NMs with the new AMToken but authorization can be an issue for {{stopContainer()/getContainerStatus()}}. For this to work, authorization should only be based on ApplicationId and not ApplicationAttemptID - that way a second appAttempt can kill containers spawned by previous appAttempt. > Create NM proxy per NM instead of per container > ----------------------------------------------- > > Key: YARN-613 > URL: https://issues.apache.org/jira/browse/YARN-613 > Project: Hadoop YARN > Issue Type: Sub-task > Reporter: Bikas Saha > Assignee: Vinod Kumar Vavilapalli > > Currently a new NM proxy has to be created per container since the secure > authentication is using a containertoken from the container. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira