Child pages
  • Secure MapReduce 2 (YARN)
Skip to end of metadata
Go to start of metadata

(warning) Work in Progress (warning)

Overview

The sequence diagrams below (after the very long Legend) are intended to be a fairly detailed description of the interactions that occur during the process of defining, submitting and executing a map reduce job on a secure Hadoop 2.x cluster. Different phases of the overall process are covered in each diagram. The are intended to be taken as one continuous flow with the exception of the last diagram which illustrates parallel steps that would occur during the flow.

  1. Bootstrap
  2. Job Definition
  3. Job Submission
  4. Job Initiation
  5. Map Task Execution
  6. Reduce Task Execution
  7. Job Completion
  8. Client Monitoring

Legend

The descriptions of the interactions in the sequence diagrams below take this form.

message [Protocol] ( input ) : output

The [Protocol] portion describes the protocol, authentication mechanism and identities exchanged.

Abbreviation

Description

[KRB]

Kerberos Protocol

[RSKT:{kerberos-service-ticket}]

RPC protocol with SASL mutual authentication using Kerberos tickets.

[RSAT:{access-token}]

RPC protocol with SASL client authentication using access tokens (e.g. YARN Node Manager Token).

[RSDT:{delegation-token}]

RPC protocol with SASL client authentication using delegation tokens (e.g. HDFS Name Node Delegation Token).

[STP]

Shuffle data transfer protocol between ShuffleService and ReduceTask. HTTP protocol with TODO.

[DTP]

Block data transfer protocol between the DataNode and a client. HTTP protocol with block tokens plus SHA1 hash exchange.

Suffixes are used in many cases to denote type.

Abbreviation

Description

tgt

Kerberos Ticket Granting Ticket

kst

Kerberos Service Ticket: u-jt-kt = A Kerberos Ticket for User u to access the JobTracker jt

kp

Kerberos Principal: nn-kp = The Kerberos principal for the NameNode nn

dt

Delegation Token: c-nn-dt = A delegation token for identity of the Client that can be presented to the NameNode.

tkn

Access Token: am-tkn = An access token that can be presented to the ApplicationMaster for access.

tkn-sk

Access Token Secret Key

id

Identifier: job-id = Job Identifier

Kerberos principals use the principal abbreviation and the kp suffix.

Abbreviation

Description

nn-kp

NameNode's Kerberos Principal

dn-kp

DataNode's Kerberos Principal (Unique principal for each DataNode on every node)

jt-kp

JobTracker's Kerberos Principal

tt-kp

TaskTracker's Kerberos Principal (Unique principal for each TaskTracker on every node)

Kerberos tickets use the consumer principal abbreviation, provider principal abbreviation and kt suffix.

Abbreviation

Description

u-nn-kt

Kerberos service ticket for User u to access NameNode nn

u-jt-kt

Kerberos service ticket for User u to access JobTracker jt

dn-nn-kt

Kerberos service ticket for DataNode dn to access NameNode nn

jt-nn-kt

Kerberos service ticket for JobTracker dn to access NameNode nn

tt-jt-kt

Kerberos service ticket for TaskTracker tt to access JobTracker jt


Bootstrap

This diagram illustrates the interactions that occur when a Hadoop system is starting up and stabilizing. It involves various master components generating secret keys and slave components registering with the masters to receive these secret keys.

  1. createBlockAccessTokenSecretKey -
  2. kinit/AS_REQ -
  3. TGS_REQ -
  4. register/heartbeat -
  5. createNodeManagerTokenSecretKey -
  6. createAppContainerTokenSecretKey -
  7. kinit/AS_REQ -
  8. TGS_REQ -
  9. register/heartbeat -

Job Definition

This diagram illustrates the steps taken by a client to define a MapReduce job that will later be submitted.

  1. TODO
  2. TODO
  3. TODO

Job Submission

This diagram illustrates the steps taken during the submission of a MapReduce job.

  1. TODO
  2. TODO
  3. TODO

Job Initiation

This diagram illustrates the steps taken when a MapReduce job is scheduled for execution.

  1. TODO
  2. TODO
  3. TODO

Map Task Execution

This diagram illustrates the steps taken when the Map portion of a MapReduce job is executed.

  1. TODO
  2. TODO
  3. TODO

Reduce Task Execution

This diagram illustrates the steps taken when the Reduce portion of a MapReduce job is executed.

  1. TODO
  2. TODO
  3. TODO

Job Completion

This diagram illustrates the steps taken a MapReduce job has completed.

  1. TODO
  2. TODO
  3. TODO

Client Monitoring

This diagram illustrates the steps taken by a Client to monitor the status of a Job throughout the Job's life-cycle. The timeframe for this diagram span several of the diagrams above starting from Job Submission all the way through Job Completion.

  1. TODO
  2. TODO
  3. TODO

NodeManager Token Flow

This diagram illustrates the flow of NodeManager Tokens throughout a MapReduce Job's life-cycle.

  1. TODO
  2. TODO
  3. TODO
  • No labels