hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1137) Add support whitelist for system users to Yarn container-executor.c
Date Fri, 06 Sep 2013 21:43:53 GMT

    [ https://issues.apache.org/jira/browse/YARN-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13760668#comment-13760668

Hadoop QA commented on YARN-1137:

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 1 new or modified
test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 javadoc{color}.  The javadoc tool did not generate any warning messages.

    {color:green}+1 eclipse:eclipse{color}.  The patch built with eclipse:eclipse.

    {color:green}+1 findbugs{color}.  The patch does not introduce any new Findbugs (version
1.3.9) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:red}-1 core tests{color}.  The patch failed these unit tests in hadoop-common-project/hadoop-common


    {color:green}+1 contrib tests{color}.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-YARN-Build/1867//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/1867//console

This message is automatically generated.
> Add support whitelist for system users to Yarn container-executor.c
> -------------------------------------------------------------------
>                 Key: YARN-1137
>                 URL: https://issues.apache.org/jira/browse/YARN-1137
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>         Attachments: YARN-1137.patch2.txt, YARN-1137.patch.txt
> Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and
configurable min.user.id (defaulting to 1000).
> This presents a problem for systems that run as system users (below 1000) if these systems
want to start containers.
> Systems like Impala fit in this category. A (local) 'impala' system user is created when
installing Impala on the nodes. 
> Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from
packages (Bigtop); local system users are created.
> For Impala to be able to run containers in a secure cluster, the 'impala' system user
must whitelisted. 
> For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg
and the logic in container-executor.c would allow the usernames in that list.
> Because system users are not guaranteed to have the same UID in different machines, the
'allowed.system.users' property should use usernames and not UIDs.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message