hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-1253) Changes to LinuxContainerExecutor to use cgroups in unsecure mode
Date Mon, 30 Sep 2013 17:41:25 GMT
Alejandro Abdelnur created YARN-1253:
----------------------------------------

             Summary: Changes to LinuxContainerExecutor to use cgroups in unsecure mode
                 Key: YARN-1253
                 URL: https://issues.apache.org/jira/browse/YARN-1253
             Project: Hadoop YARN
          Issue Type: Bug
          Components: nodemanager
    Affects Versions: 2.1.0-beta
            Reporter: Alejandro Abdelnur
            Assignee: Roman Shaposhnik
            Priority: Blocker
             Fix For: 2.1.1-beta


When using cgroups we require LCE to be configured in the cluster to start containers. 

When LCE starts containers as the user that submitted the job. While this works correctly
in a secure setup, in an un-secure setup this presents a couple issues:

* LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
* Because users can impersonate other users, any user would have access to any local file
of other users

Particularly, the second issue is not desirable as a user could get access to ssh keys of
other users in the nodes or if there are NFS mounts, get to other users data outside of the
cluster.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message