Details
-
Sub-task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.8.0
-
None
-
None
Description
All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie.
Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like
- AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ HADOOP_TOKEN_FILES_LOCATION and reload.
- YARN Client API extended to allow AM launch context credentials to be similarly updated