hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rchi...@apache.org
Subject hadoop git commit: YARN-5549. AMLauncher#createAMContainerLaunchContext() should not log the command to be launched indiscriminately. (Daniel Templeton via rchiang)
Date Fri, 02 Sep 2016 22:03:47 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-2.8 9b7e079d4 -> 02272a6a7


YARN-5549. AMLauncher#createAMContainerLaunchContext() should not log the command to be launched
indiscriminately. (Daniel Templeton via rchiang)

(cherry picked from commit 4ee1729cb04e72f3015666d750ad1e54257345d2)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/02272a6a
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/02272a6a
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/02272a6a

Branch: refs/heads/branch-2.8
Commit: 02272a6a77ce958cab54242933cdc67ff22d2ca7
Parents: 9b7e079
Author: Ray Chiang <rchiang@apache.org>
Authored: Fri Sep 2 14:57:05 2016 -0700
Committer: Ray Chiang <rchiang@apache.org>
Committed: Fri Sep 2 15:00:24 2016 -0700

----------------------------------------------------------------------
 .../hadoop/yarn/conf/YarnConfiguration.java     | 12 +++++++++
 .../src/main/resources/yarn-default.xml         | 13 +++++++++
 .../resourcemanager/amlauncher/AMLauncher.java  | 28 +++++++++++++++-----
 3 files changed, 47 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/02272a6a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index 5ce171c..96c4f6f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -403,6 +403,18 @@ public class YarnConfiguration extends Configuration {
   public static final int DEFAULT_RM_SYSTEM_METRICS_PUBLISHER_DISPATCHER_POOL_SIZE =
       10;
 
+  /**
+   * The {@code AMLauncher.createAMContainerLaunchContext()} method will log the
+   * command being executed to the RM log if this property is true. Commands
+   * may contain sensitive information, such as application or service
+   * passwords, making logging the commands a security risk. In cases where
+   * the cluster may be running applications with such commands, this property
+   * should be set to false. Commands are only logged at the debug level.
+   */
+  public static final String RM_AMLAUNCHER_LOG_COMMAND =
+      RM_PREFIX + "amlauncher.log.command";
+  public static final boolean DEFAULT_RM_AMLAUNCHER_LOG_COMMAND = false;
+
   //RM delegation token related keys
   public static final String RM_DELEGATION_KEY_UPDATE_INTERVAL_KEY =
     RM_PREFIX + "delegation.key.update-interval";

http://git-wip-us.apache.org/repos/asf/hadoop/blob/02272a6a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 788b0fd..512db81 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -299,6 +299,19 @@
   </property>
 
   <property>
+    <description>
+      The resource manager will log all commands being executed to the RM log
+      if this property is true. Commands may contain sensitive information,
+      such as application or service passwords, making logging the commands a
+      security risk. In cases where the cluster may be running applications with
+      such commands this property should be set to false. Commands are only
+      logged at the debug level.
+    </description>
+    <name>yarn.resourcemanager.amlauncher.log.command</name>
+    <value>false</value>
+  </property>
+
+  <property>
     <description>The class to use as the resource scheduler.</description>
     <name>yarn.resourcemanager.scheduler.class</name>
     <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value>

http://git-wip-us.apache.org/repos/asf/hadoop/blob/02272a6a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
index 4c840e7..e7105f9 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/amlauncher/AMLauncher.java
@@ -64,6 +64,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptI
 import org.apache.hadoop.yarn.util.ConverterUtils;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
 
 /**
  * The launch of the AM itself.
@@ -79,7 +80,8 @@ public class AMLauncher implements Runnable {
   private final AMLauncherEventType eventType;
   private final RMContext rmContext;
   private final Container masterContainer;
-  
+  private final boolean logCommandLine;
+
   @SuppressWarnings("rawtypes")
   private final EventHandler handler;
   
@@ -91,6 +93,9 @@ public class AMLauncher implements Runnable {
     this.rmContext = rmContext;
     this.handler = rmContext.getDispatcher().getEventHandler();
     this.masterContainer = application.getMasterContainer();
+    this.logCommandLine =
+        conf.getBoolean(YarnConfiguration.RM_AMLAUNCHER_LOG_COMMAND,
+          YarnConfiguration.DEFAULT_RM_AMLAUNCHER_LOG_COMMAND);
   }
   
   private void connect() throws IOException {
@@ -186,11 +191,22 @@ public class AMLauncher implements Runnable {
     // Construct the actual Container
     ContainerLaunchContext container = 
         applicationMasterContext.getAMContainerSpec();
-    LOG.info("Command to launch container "
-        + containerID
-        + " : "
-        + StringUtils.arrayToString(container.getCommands().toArray(
-            new String[0])));
+
+    if (LOG.isDebugEnabled()) {
+      StringBuilder message = new StringBuilder("Command to launch container ");
+
+      message.append(containerID).append(" : ");
+
+      if (logCommandLine) {
+        message.append(Joiner.on(",").join(container.getCommands()));
+      } else {
+        message.append("<REDACTED> -- Set ");
+        message.append(YarnConfiguration.RM_AMLAUNCHER_LOG_COMMAND);
+        message.append(" to true to reenable command logging");
+      }
+
+      LOG.debug(message.toString());
+    }
 
     // Populate the current queue name in the environment variable.
     setupQueueNameEnv(container, applicationMasterContext);


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org


Mime
View raw message