hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Siddharth Seth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-88) DefaultContainerExecutor can fail to set proper permissions
Date Wed, 19 Sep 2012 20:45:08 GMT

    [ https://issues.apache.org/jira/browse/YARN-88?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13459073#comment-13459073

Siddharth Seth commented on YARN-88:

bq. It does make me wonder why we are explicitly granting group directory execute access to
the appId directory. What does the nodemanager user need to access in there? Should we instead
be locking down the usercache/${user}/appcache/${appId} to 700? If so, then we're OK using
default permissions on the container and temp directories since the parent directory is locked
down. If it is necessary for the appId directory to be 710, then it seems like the containerId
should also be 710 and the temp directory should be 700.

Good point, 700 does seem to be adequate. Can't think of where the NM may need group access.
Needs some looking into.
For now, will look at and commit the new patch.
> DefaultContainerExecutor can fail to set proper permissions
> -----------------------------------------------------------
>                 Key: YARN-88
>                 URL: https://issues.apache.org/jira/browse/YARN-88
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>    Affects Versions: 0.23.3, 2.0.0-alpha
>            Reporter: Jason Lowe
>            Assignee: Jason Lowe
>         Attachments: YARN-88.patch, YARN-88.patch
> {{DefaultContainerExecutor}} can fail to set the proper permissions on its local directories
if the cluster has been configured with a restrictive umask, e.g.: fs.permissions.umask-mode=0077.
 The configured umask ends up defeating the permissions requested by {{DefaultContainerExecutor}}
when it creates directories.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message