hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roman Shaposhnik (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-1137) Add support whitelist for system users to Yarn container-executor.c
Date Wed, 04 Sep 2013 05:12:54 GMT

     [ https://issues.apache.org/jira/browse/YARN-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Roman Shaposhnik updated YARN-1137:
-----------------------------------

    Attachment: YARN-1137.patch.txt
    
> Add support whitelist for system users to Yarn container-executor.c
> -------------------------------------------------------------------
>
>                 Key: YARN-1137
>                 URL: https://issues.apache.org/jira/browse/YARN-1137
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>         Attachments: YARN-1137.patch.txt
>
>
> Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and
configurable min.user.id (defaulting to 1000).
> This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.
> Systems like Impala fit in this category. A (local) 'impala' system user is created when
installing Impala on the nodes. 
> Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from
packages (Bigtop); local system users are created.
> For Impala to be able to run containers in a secure cluster, the 'impala' system user
must whitelisted. 
> For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.
> Because system users are not guaranteed to have the same UID in different machines, the
'allowed.system.users' property should use usernames and not UIDs.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message