[
https://issues.apache.org/jira/browse/YARN-6130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16102844#comment-16102844
]
Varun Saxena commented on YARN-6130:
------------------------------------
bq. token renewer is set to application owner. Is it intended? Since
AppCollector runs as part of NM axillary service, renewer should be NM user
right?
Actually I was initially thinking of providing an ability to renew token from
Timeline client too. For tokens for offline collectors for instance. And if we
allow for them, the API has to be generic enough to allow renewal for app
tokens as well with the facility of automatic renewal. That is why I had kept
it as application owner at that time. As we will renew locally i.e. from NM and
will have the token cached in collector, it wont matter. However, security
design for offline collectors isn't yet finalized.
So technically right now, the renewer will always be NM. Will change it in next
patch.
> [ATSv2 Security] Generate a delegation token for AM when app collector is
> created and pass it to AM via NM and RM
> -----------------------------------------------------------------------------------------------------------------
>
> Key: YARN-6130
> URL: https://issues.apache.org/jira/browse/YARN-6130
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Reporter: Varun Saxena
> Assignee: Varun Saxena
> Labels: yarn-5355-merge-blocker
> Attachments: YARN-6130-YARN-5355.01.patch,
> YARN-6130-YARN-5355.02.patch, YARN-6130-YARN-5355.03.patch,
> YARN-6130-YARN-5355.04.patch, YARN-6130-YARN-5355.05.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
