hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1137) Add support whitelist for system users to Yarn container-executor.c
Date Thu, 05 Sep 2013 14:43:57 GMT

    [ https://issues.apache.org/jira/browse/YARN-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13759125#comment-13759125
] 

Alejandro Abdelnur commented on YARN-1137:
------------------------------------------

[~owen.omalley], our initial thought was lowering the min.user.id to the FIRST_SYSTEM_UID
of the /etc/adduser.conf. The problem with approach is:

* FIRST_SYSTEM_UID is configurable. This complicates things when installing/configuring Hadoop.
Also it could be changed after Hadoop installation/configuration, leaving things out of sync.
* Explicitly banning users is not practical because new system users can be added after Hadoop
has been installed/configured. This is highly error prone.

                
> Add support whitelist for system users to Yarn container-executor.c
> -------------------------------------------------------------------
>
>                 Key: YARN-1137
>                 URL: https://issues.apache.org/jira/browse/YARN-1137
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>         Attachments: YARN-1137.patch.txt
>
>
> Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and
configurable min.user.id (defaulting to 1000).
> This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.
> Systems like Impala fit in this category. A (local) 'impala' system user is created when
installing Impala on the nodes. 
> Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from
packages (Bigtop); local system users are created.
> For Impala to be able to run containers in a secure cluster, the 'impala' system user
must whitelisted. 
> For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.
> Because system users are not guaranteed to have the same UID in different machines, the
'allowed.system.users' property should use usernames and not UIDs.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message