[ https://issues.apache.org/jira/browse/YARN-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Roman Shaposhnik updated YARN-1137:
-----------------------------------
Attachment: YARN-1137.patch.txt
> Add support whitelist for system users to Yarn container-executor.c
> -------------------------------------------------------------------
>
> Key: YARN-1137
> URL: https://issues.apache.org/jira/browse/YARN-1137
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Affects Versions: 2.1.0-beta
> Reporter: Alejandro Abdelnur
> Assignee: Roman Shaposhnik
> Attachments: YARN-1137.patch.txt
>
>
> Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and
configurable min.user.id (defaulting to 1000).
> This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.
> Systems like Impala fit in this category. A (local) 'impala' system user is created when
installing Impala on the nodes.
> Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from
packages (Bigtop); local system users are created.
> For Impala to be able to run containers in a secure cluster, the 'impala' system user
must whitelisted.
> For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.
> Because system users are not guaranteed to have the same UID in different machines, the
'allowed.system.users' property should use usernames and not UIDs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|