hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-1137) Add support whitelist for system users to Yarn container-executor.c
Date Tue, 03 Sep 2013 21:13:51 GMT
Alejandro Abdelnur created YARN-1137:

             Summary: Add support whitelist for system users to Yarn container-executor.c
                 Key: YARN-1137
                 URL: https://issues.apache.org/jira/browse/YARN-1137
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: nodemanager
    Affects Versions: 2.1.0-beta
            Reporter: Alejandro Abdelnur
            Assignee: Roman Shaposhnik

Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and configurable
min.user.id (defaulting to 1000).

This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.

Systems like Impala fit in this category. A (local) 'impala' system user is created when installing
Impala on the nodes. 

Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from packages
(Bigtop); local system users are created.

For Impala to be able to run containers in a secure cluster, the 'impala' system user must

For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.

Because system users are not guaranteed to have the same UID in different machines, the 'allowed.system.users'
property should use usernames and not UIDs.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message