hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1253) Changes to LinuxContainerExecutor to run containers as a single dedicated user in non-secure mode
Date Tue, 01 Oct 2013 20:41:27 GMT

    [ https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13783318#comment-13783318
] 

Todd Lipcon commented on YARN-1253:
-----------------------------------

bq. We should refactor that code out to be able to use it as a standalone library/binary (which
doesn't bring in the extra baggage of user-accounts etc.) - that's the correct fix IMO. Putting
in a local-user is an easy short-term solution

I think separating the local "run-as" user from the daemon user has other benefits as well,
separate from cgroups. This is a long-standing tradition in Unix services - eg Apache httpd
typically runs CGI scripts as "nobody" unless suexec is configured. So this change still has
value.

> Changes to LinuxContainerExecutor to run containers as a single dedicated user in non-secure
mode
> -------------------------------------------------------------------------------------------------
>
>                 Key: YARN-1253
>                 URL: https://issues.apache.org/jira/browse/YARN-1253
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>            Priority: Blocker
>         Attachments: YARN-1253.patch.txt
>
>
> When using cgroups we require LCE to be configured in the cluster to start containers.

> When LCE starts containers as the user that submitted the job. While this works correctly
in a secure setup, in an un-secure setup this presents a couple issues:
> * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
> * Because users can impersonate other users, any user would have access to any local
file of other users
> Particularly, the second issue is not desirable as a user could get access to ssh keys
of other users in the nodes or if there are NFS mounts, get to other users data outside of
the cluster.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message