more on UGI; Add TODO markers

steveloughran · steveloughran · commit dea80a5e88ff · 2015-08-31T13:06:48.000+01:00
diff --git a/sections/hdfs.md b/sections/hdfs.md
@@ -31,6 +31,8 @@ code.
 
 ## HDFS Namenode
 
+### TODO
+
 1. Namenode reads in a keytab and initializes itself from there (i.e. no need to `kinit`; ticket
 renewal handed by `UGI`).
 1. In a secure cluster, Web HDFS requires SPNEGO
@@ -41,8 +43,11 @@ to access the HDFS browser. This is a point of contention: its implicit from the
  as "dr who". 
 
 
+
 ## Datanodes
 
+### TODO
+
 ## HDFS Client interaction
 
 1. Client asks NN for access to a path, identifying via KST or DT.
diff --git a/sections/ugi.md b/sections/ugi.md
@@ -14,29 +14,32 @@
   
 # UGI
 
+> From the pictures I turned to the bulky, closely written letter itself; and for the next three hours was immersed in a gulf of unutterable horror. Where Akeley had given only outlines before, he now entered into minute details; presenting long transcripts of words overheard in the woods at night, long accounts of monstrous pinkish forms spied in thickets at twilight on the hills, and a terrible cosmic narrative derived from the application of profound and varied scholarship to the endless bygone discourses of the mad self-styled spy who had killed himself.
+
+> HP Lovecraft [The Whisperer in Darkness](http://www.hplovecraft.com/writings/texts/fiction/wid.aspx), 1931
 
 If there is one class guaranteed to strike fear into anyone with experience in Hadoop+Kerberos code it is `UserGroupInformation`, abbreviated to "UGI"
 
+Nobody says `UserGroupInformation` out loud; it is the *him which must not be named* of the stack
 
 ## What does UGI do?
 
 Here sre some of the things it can do
 
 1. Handles the initial login process, using any environmental `kinit`-ed tokens or a keytab.
 1. Spawn off a thread to renew the TGT
-1. Provides an operation for-on demand verification/re-init of kerberos tickets details before issuing a request.
-
-
+1. Support an operation for-on demand verification/re-init of kerberos tickets details before issuing a request.
+1. Appear in stack traces which warn the viewer of security related trouble.
 
 
-## UGI strengths
+## UGI Strengths
 
 * It's one place for almost all Kerberos/User authentication to live.
 * Being fairly widely used, once you've learned it, your knowledge works through
 the entire Hadoop stack.
  
 
-## UGI troublespots
+## UGI Troublespots
 
 * It's a singleton. Don't expect to have one "real user" per process. 
 This does sort of makes sense. Even a single service has its "service" identity; as the 
diff --git a/sections/yarn.md b/sections/yarn.md
@@ -19,7 +19,14 @@ YARN applications are somewhere where Hadoop authentication becomes some of its
 Anyone writing a YARN application will encounter Hadoop security, and will end up spending
 time debugging the problems. This is "the price of security".
 
-# Securing REST APIs
+## YARN Service security
+
+### TODO
+
+## Securing YARN Application REST APIs
+
+
+### TODO
 
 ## Strategies for token renewal on YARN services
 
