hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (YARN-9735) Allow User Keytab to submit YARN Native Service
Date Wed, 14 Aug 2019 17:50:00 GMT

     [ https://issues.apache.org/jira/browse/YARN-9735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eric Yang resolved YARN-9735.
-----------------------------
    Resolution: Invalid

[~Prabhu Joseph] User principal is not used as service principal because TGS request authenticate
client principal with service principal, and this information is validated on the AM side
to ensure that KDC pre-authentication took place, and server can only reconfirm the end user
credential based on validation of Service principals granted to the end user.  The service
principal must match the hostname of the running service.  Without presence of hostname in
service principal, there is no security validation on service side to determine that end user
is allowed or not.  Hence, allowing user principal to run as service becomes a security hole.
 This reasoning makes the implementation invalid.  Thank you for trying.

> Allow User Keytab to submit YARN Native Service 
> ------------------------------------------------
>
>                 Key: YARN-9735
>                 URL: https://issues.apache.org/jira/browse/YARN-9735
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn-native-services
>    Affects Versions: 3.2.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>
> Yarn Native Service launch fails on a secure cluster with user keytab. It allows only
service keytab. Have seen most of the users test their jobs with user keytab.  
> {code}
> [ambari-qa@pjosephdocker-3 ~]$ yarn app -launch sleeper-service /usr/hdp/3.0.1.0-187/hadoop-yarn/yarn-service-examples/sleeper/sleeper.json
> 19/08/03 17:17:04 ERROR client.ApiServiceClient: Kerberos principal (ambari-qa-pjosephdocker@DOCKER.COM)
does  not contain a hostname.
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org


Mime
View raw message