Return-Path: 
 <user-return-20092-apmail-hadoop-mapreduce-user-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-mapreduce-user-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-mapreduce-user-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5E9BD18874
	for <apmail-hadoop-mapreduce-user-archive@minotaur.apache.org>;
 Thu, 25 Jun 2015 09:30:55 +0000 (UTC)
Received: (qmail 31523 invoked by uid 500); 25 Jun 2015 09:30:49 -0000
Delivered-To: apmail-hadoop-mapreduce-user-archive@hadoop.apache.org
Received: (qmail 31410 invoked by uid 500); 25 Jun 2015 09:30:49 -0000
Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hadoop.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hadoop.apache.org>
List-Post: <mailto:user@hadoop.apache.org>
List-Id: <user.hadoop.apache.org>
Reply-To: user@hadoop.apache.org
Delivered-To: mailing list user@hadoop.apache.org
Received: (qmail 31400 invoked by uid 99); 25 Jun 2015 09:30:49 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jun 2015 09:30:49 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [193.0.80.14] (HELO mail.fuw.edu.pl) (193.0.80.14)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jun 2015 09:28:33 +0000
Received: from [192.168.0.10] (ip5f5be0f4.dynamic.kabel-deutschland.de
 [95.91.224.244] (may be forged))
	(authenticated bits=0)
	by mail.fuw.edu.pl (8.14.1/8.13.6) with ESMTP id t5P9UEWP030595
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
	for <user@hadoop.apache.org>; Thu, 25 Jun 2015 11:30:16 +0200
Message-ID: <558BCA26.1070700@fuw.edu.pl>
Date: Thu, 25 Jun 2015 11:30:14 +0200
From: Tomasz Fruboes <Tomasz.Fruboes@fuw.edu.pl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: user@hadoop.apache.org
Subject: YARN and LinuxContainerExecutor in simple security mode
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.56 on 193.0.80.14
X-Virus-Checked: Checked by ClamAV on apache.org

Dear Experts,

  I'm running a small YARN cluster configured to use simple security, 
LinuxContainerExecutor and

  yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false

  in order to get correct uid when executing jobs. This is needed to 
access files from network exported filesystem.

  I was wondering - does this posses any security risk (since 
nonsecure-mode.limit is set to true by default in the simple security 
mode)? I.e. is there a known way for a user to get uid of different user 
with such configuration?

  Cheers,
    Tomasz