[jira] [Commented] (YARN-707) Add user info in the YARN ClientToken

Wed, 28 Aug 2013 07:41:40 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13752443#comment-13752443
 ] 

Daryn Sharp commented on YARN-707:
----------------------------------

Technically you should be bumping the token ident's version number and using 
that to determine if the app submitter is in the ident.  Otherwise, decoding of 
prior tokens will attempt to read the missing app submitter from the next 
serialized object and eventually fail spectacularly.

{{RmAppImpl#createAndGetApplicationReport}}
Using checks on {{UserGroupInformation.isSecurityEnabled()}} here and elsewhere 
will cause future incompatibility to require tokens w/o security which is the 
direction yarn has been moving in.  It would be better to check if the secret 
manager is not null.

It's just logging if it cannot create a token?  This _shouldn't_ happen, but 
_if/when_ it does it's going to lead to more difficult after the fact errors in 
the client.  It's unfortunate you cannot throw the checked exception 
{{IOException}}, so I think you need to change the method signature or throw 
whatever you can, like a {{YarnException}}, to fail the request.

App attempting storing/restoring appears asymmetric.  Storing saves off the 
whole credentials in the attempt, whereas restoring appears to just pluck out 
the amrm token and the new persisted secret?

Minor:
Methods using the term "Token", ex. {{recoverAppAttemptTokens}} and 
{{getTokensFromAppAttempt}} are misleading since it's "Credentials".  Vinod had 
me make a similar change to the method names in the AM.

{{AM_CLIENT_TOKEN_MASTER_KEY_NAME}} is better defined in {{RMAppAttempt}}, 
rather than in the {{RMStateStore}}.  Otherwise the import dependency seems 
backwards.
                
> Add user info in the YARN ClientToken
> -------------------------------------
>
>                 Key: YARN-707
>                 URL: https://issues.apache.org/jira/browse/YARN-707
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Bikas Saha
>            Assignee: Jason Lowe
>            Priority: Blocker
>             Fix For: 3.0.0, 2.1.1-beta
>
>         Attachments: YARN-707-20130822.txt, YARN-707-20130827.txt
>
>
> If user info is present in the client token then it can be used to do limited 
> authz in the AM.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to