Bence Kosztolnik created YARN-11922:
---------------------------------------
Summary: ResourceManager not update SecretManager keysize
immediately if recovery is on
Key: YARN-11922
URL: https://issues.apache.org/jira/browse/YARN-11922
Project: Hadoop YARN
Issue Type: Improvement
Components: yarn
Affects Versions: 3.5.0
Reporter: Bence Kosztolnik
Assignee: Bence Kosztolnik
{*}Problem Statement:{*}{*}{*}
I have a scenario where I need to migrate a YARN cluster to a FIPS
140-3–compatible environment.
For this, the AMRMTokenSecretManager must use secrets that are at least 112
bits long. By default, the secret length is 64 bits. When I modify the key size
and restart the cluster with recovery enabled, the state store reloads the old
secret, which has a default lifetime of 24 hours. As a result, even though the
cluster is configured to operate in FIPS 140-3–compatible mode, it continues to
use a non-compliant secret.
{*}Solution:{*}{*}{*}
When the ResourceManager recovers, it should validate the secret size stored in
the state store. If the stored secret size differs from the configured value,
the secret should be forcibly regenerated and updated.
{*}Tested:{*}{*}{*}
Through manual testing, I verified that HIVE applications can run successfully
both before and after the configuration change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
