This document describes how security is implemented in the service registry
In a non-Kerberos-enabled Hadoop cluster, the Registry does not offer any security at all: the registry is world writeable.
This document is therefore relevant only to secure clusters.
The security model of the registry is designed to meet the following goals a secure registry: 1. Deliver functional security on a secure ZK installation. 1. Allow the RM to create per-user regions of the registration space 1. Allow applications belonging to a user to write registry entries into their part of the space. These may be short-lived or long-lived YARN applications, or they may be be static applications. 1. Prevent other users from writing into another user’s part of the registry. 1. Allow system services to register to a /services
section of the registry. 1. Provide read access to clients of a registry. 1. Permit future support of DNS 1. Permit the future support of registering data private to a user. This allows a service to publish binding credentials (keys &c) for clients to use. 1. Not require a ZK keytab on every user’s home directory in a YARN cluster. This implies that kerberos credentials cannot be used by YARN applications.
ZK security uses an ACL model, documented in Zookeeper and SASL In which different authentication schemes may be used to restrict access to different znodes. This permits the registry to use a mixed Kerberos + Private password model.
RMRegistryOperationsService
), uses kerberos as the authentication mechanism for YARN itself.(username,password)
keypair granted write access to their part of the tree.What are the limitations of such a scheme?
The registry manager cannot rely on clients consistently setting ZK permissions. At the very least, they cannot relay on client applications unintentionally wrong values for the accounts of the system services
Solution: Initially, a registry permission is used here.
In a kerberos domain, it is possible for a kerberized client to determine the realm of a cluster at run time from the local user’s kerberos credentials as used to talk to YARN or HDFS.
This can be used to auto-generate account names with the correct realm for the system accounts hence aid having valid constants.
This allows the registry to support a default configuration value for hadoop.registry.system.accounts
of:
"sasl:yarn@, sasl:mapred@, sasl:hdfs@, sasl:hadoop@";
Another strategy could be to have a ServiceRecord
at the root of the registry that actually defines the registry —including listing those default binding values in the data
field..
Something (perhaps the RM) could scan a user’s portion of the registry and detect some ACL problems: IP/world access too lax, admin account settings wrong. It cannot view or fix the ACL permissions unless it has the ADMIN
permission, though that situation can at least be detected. Given the RM must have DELETE
permissions further up the stack, it would be in a position to delete the errant part of the tree —though this could be a destructive overreaction.