[jira] [Reopened] (YARN-613) Create NM proxy per NM instead of per container

Thu, 25 Apr 2013 17:38:17 -0700 

     [ 
https://issues.apache.org/jira/browse/YARN-613?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vinod Kumar Vavilapalli reopened YARN-613:
------------------------------------------

      Assignee: Vinod Kumar Vavilapalli

I wanted to do it all together at YARN-571, but in retrospect, I think we 
should keep it separate.

Here's my proposal
- Use the AMToken(today called ApplicationToken, but it is per 
AM/ApplicationAttemptId) for authentication to the NM. Due to this, we only 
need to create one connection per NM. So, we will no longer need to latch onto 
ContainerTokens for the sake of {{stopContainer()/getContainerStatus()}}
 - Add authorization checks also for {{stopContainer()/getContainerStatus()}} - 
today there are none.
 - Use ContainerToken for authorization of {{startContainer()}} irrespective of 
security like I proposed on YARN-617.
 - Today we have authentication based on ContainerTokens for 
{{stopContainer()/getContainerStatus()}}, but not authorization. Once we 
authenticate based on AMTokens, they become automatically accessible to users 
(YARN-575 will be a duplicate) without latching onto ContainerTokens for long 
times. We just need to add more authorization checks for these two RPCs.
 - One catch is AM restart - thanks to [~bikassaha] for bringing this up 
offline. If AM restarts, it will get a new AMToken, will be successfully able 
to authenticate to NMs with the new AMToken but authorization can be an issue 
for {{stopContainer()/getContainerStatus()}}. For this to work, authorization 
should only be based on ApplicationId and not ApplicationAttemptID - that way a 
second appAttempt can kill containers spawned by previous appAttempt.
                
> Create NM proxy per NM instead of per container
> -----------------------------------------------
>
>                 Key: YARN-613
>                 URL: https://issues.apache.org/jira/browse/YARN-613
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Bikas Saha
>            Assignee: Vinod Kumar Vavilapalli
>
> Currently a new NM proxy has to be created per container since the secure 
> authentication is using a containertoken from the container.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to