[
https://issues.apache.org/jira/browse/YARN-11922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18053025#comment-18053025
]
ASF GitHub Bot commented on YARN-11922:
---------------------------------------
K0K0V0K opened a new pull request, #8194:
URL: https://github.com/apache/hadoop/pull/8194
### Description of PR
Problem Statement:
I have a scenario where I need to migrate a YARN cluster to a FIPS
140-3–compatible environment. For this, the AMRMTokenSecretManager must use
secrets that are at least 112 bits long. By default, the secret length is 64
bits. When I modify the key size and restart the cluster with recovery enabled,
the state store reloads the old secret, which has a default lifetime of 24
hours. As a result, even though the cluster is configured to operate in FIPS
140-3–compatible mode, it continues to use a non-compliant secret.
Solution:
When the ResourceManager recovers, it should validate the secret size stored
in the state store. If the stored secret size differs from the configured
value, the secret should be forcibly regenerated and updated.
### How was this patch tested?
- Through manual testing, I verified that HIVE applications can run
successfully both before and after the configuration change.
- UT was created.
### AI Tooling
ChatGPT to check grammar in the commit message
> ResourceManager not update SecretManager keysize immediately if recovery is on
> ------------------------------------------------------------------------------
>
> Key: YARN-11922
> URL: https://issues.apache.org/jira/browse/YARN-11922
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Minor
>
> *Problem Statement:*
> I have a scenario where I need to migrate a YARN cluster to a FIPS
> 140-3–compatible environment.
> For this, the AMRMTokenSecretManager must use secrets that are at least 112
> bits long. By default, the secret length is 64 bits. When I modify the key
> size and restart the cluster with recovery enabled, the state store reloads
> the old secret, which has a default lifetime of 24 hours. As a result, even
> though the cluster is configured to operate in FIPS 140-3–compatible mode, it
> continues to use a non-compliant secret.
>
> *Solution:*
> When the ResourceManager recovers, it should validate the secret size stored
> in the state store. If the stored secret size differs from the configured
> value, the secret should be forcibly regenerated and updated.
>
> *Tested:*
> Through manual testing, I verified that HIVE applications can run
> successfully both before and after the configuration change.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
