hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1137) Add support whitelist for system users to Yarn container-executor.c
Date Thu, 05 Sep 2013 14:43:57 GMT

    [ https://issues.apache.org/jira/browse/YARN-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13759125#comment-13759125

Alejandro Abdelnur commented on YARN-1137:

[~owen.omalley], our initial thought was lowering the min.user.id to the FIRST_SYSTEM_UID
of the /etc/adduser.conf. The problem with approach is:

* FIRST_SYSTEM_UID is configurable. This complicates things when installing/configuring Hadoop.
Also it could be changed after Hadoop installation/configuration, leaving things out of sync.
* Explicitly banning users is not practical because new system users can be added after Hadoop
has been installed/configured. This is highly error prone.

> Add support whitelist for system users to Yarn container-executor.c
> -------------------------------------------------------------------
>                 Key: YARN-1137
>                 URL: https://issues.apache.org/jira/browse/YARN-1137
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>         Attachments: YARN-1137.patch.txt
> Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and
configurable min.user.id (defaulting to 1000).
> This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.
> Systems like Impala fit in this category. A (local) 'impala' system user is created when
installing Impala on the nodes. 
> Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from
packages (Bigtop); local system users are created.
> For Impala to be able to run containers in a secure cluster, the 'impala' system user
must whitelisted. 
> For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.
> Because system users are not guaranteed to have the same UID in different machines, the
'allowed.system.users' property should use usernames and not UIDs.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message