[jira] [Updated] (YARN-8571) Validate service principal format prior to launching yarn service

Fri, 27 Jul 2018 12:16:08 -0700 


     [ 
https://issues.apache.org/jira/browse/YARN-8571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Billie Rinaldi updated YARN-8571:
---------------------------------
    Affects Version/s: 3.1.1

> Validate service principal format prior to launching yarn service
> -----------------------------------------------------------------
>
>                 Key: YARN-8571
>                 URL: https://issues.apache.org/jira/browse/YARN-8571
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security, yarn
>    Affects Versions: 3.1.0, 3.1.1
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>             Fix For: 3.2.0, 3.1.2
>
>         Attachments: YARN-8571.001.patch, YARN-8571.002.patch
>
>
> Hadoop client and server interaction is designed to validate the service 
> principal before RPC request is permitted.  In YARN service, the same 
> security model is enforced to prevent replay attack.   However, end user 
> might submit JSON that looks like this to YARN service REST API:
> {code}
> {
>   "name": "sleeper-service",
>   "version": "1.0.0",
>   "components" :
>   [
>     {
>       "name": "sleeper",
>       "number_of_containers": 2,
>       "launch_command": "sleep 900000",
>       "resource": {
>         "cpus": 1,
>         "memory": "256"
>       }
>     }
>   ],
>   "kerberos_principal" : {
>     "principal_name" : "ambari...@example.com",
>     "keytab" : "file:///etc/security/keytabs/smokeuser.headless.keytab"
>   }
> }
> {code}
> The kerberos principal is end user kerberos principal instead of service 
> principal.  This does not work properly because YARN service application 
> master requires to run with a service principal to communicate with YARN CLI 
> client via Hadoop RPC.  Without breaking Hadoop security design in this JIRA, 
> it might be in our best interest to validate principal_name during 
> submission, and report error message when someone tries to run YARN service 
> with user principal.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to