Eric Yang created YARN-3252:
-------------------------------
Summary: YARN LinuxContainerExecutor runs as nobody in Simple Security mode for
all applications
Key: YARN-3252
URL: https://issues.apache.org/jira/browse/YARN-3252
Project: Hadoop YARN
Issue Type: Bug
Affects Versions: 2.5.2, 2.5.1, 2.6.0, 2.4.0, 2.3.0
Environment: Linux
Reporter: Eric Yang
Priority: Critical
When using YARN + Slider + LinuxContainerExecutor, all slider application are running as nobody.
This is because the modification in YARN-1253 to restrict all containers to run as a single
user. This becomes a exploite to any application that runs inside YARN + Slider + LCE. The
original behavior is more correct. The original statement indicated that users can impersonate
any other users. This supposed to be only valid for proxy users, who can proxy as other users.
It is designed as intended that the service user needs to be trusted by the framework to
impersonate end users.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
|