hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roman Shaposhnik (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-1253) Changes to LinuxContainerExecutor to run containers as a single dedicated user in non-secure mode
Date Tue, 01 Oct 2013 19:47:26 GMT

     [ https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Roman Shaposhnik updated YARN-1253:
-----------------------------------

    Attachment: YARN-1253.patch.txt

> Changes to LinuxContainerExecutor to run containers as a single dedicated user in non-secure
mode
> -------------------------------------------------------------------------------------------------
>
>                 Key: YARN-1253
>                 URL: https://issues.apache.org/jira/browse/YARN-1253
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>            Priority: Blocker
>         Attachments: YARN-1253.patch.txt
>
>
> When using cgroups we require LCE to be configured in the cluster to start containers.

> When LCE starts containers as the user that submitted the job. While this works correctly
in a secure setup, in an un-secure setup this presents a couple issues:
> * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
> * Because users can impersonate other users, any user would have access to any local
file of other users
> Particularly, the second issue is not desirable as a user could get access to ssh keys
of other users in the nodes or if there are NFS mounts, get to other users data outside of
the cluster.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message