hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roman Shaposhnik (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1137) Add support whitelist for system users to Yarn container-executor.c
Date Wed, 04 Sep 2013 19:10:53 GMT

    [ https://issues.apache.org/jira/browse/YARN-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13758204#comment-13758204

Roman Shaposhnik commented on YARN-1137:

[~acmurthy] all containers will still go through YARN, there are no side channels here --
simply a configuration knob that allows designated services to run regular YARN containers
under their own names. Currently the user names that correspond to the 'system' users are
all blacklisted at once (the cut off point being the value of min.user.id) what the patch
does is it allows for a more selective approach to what 'system' users are allowed to do.
> Add support whitelist for system users to Yarn container-executor.c
> -------------------------------------------------------------------
>                 Key: YARN-1137
>                 URL: https://issues.apache.org/jira/browse/YARN-1137
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>         Attachments: YARN-1137.patch.txt
> Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and
configurable min.user.id (defaulting to 1000).
> This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.
> Systems like Impala fit in this category. A (local) 'impala' system user is created when
installing Impala on the nodes. 
> Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from
packages (Bigtop); local system users are created.
> For Impala to be able to run containers in a secure cluster, the 'impala' system user
must whitelisted. 
> For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.
> Because system users are not guaranteed to have the same UID in different machines, the
'allowed.system.users' property should use usernames and not UIDs.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message