Return-Path: 
 <yarn-issues-return-48851-apmail-hadoop-yarn-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6A1D517890
	for <apmail-hadoop-yarn-issues-archive@minotaur.apache.org>;
 Tue, 24 Feb 2015 17:15:11 +0000 (UTC)
Received: (qmail 52533 invoked by uid 500); 24 Feb 2015 17:15:05 -0000
Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org
Received: (qmail 52387 invoked by uid 500); 24 Feb 2015 17:15:05 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Reply-To: yarn-issues@hadoop.apache.org
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 52249 invoked by uid 99); 24 Feb 2015 17:15:04 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Feb 2015 17:15:04 +0000
Date: Tue, 24 Feb 2015 17:15:04 +0000 (UTC)
From: "Eric Yang (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12777221.1424798046000.2345.1424798104869@Atlassian.JIRA>
In-Reply-To: <JIRA.12777221.1424798046000@Atlassian.JIRA>
References: <JIRA.12777221.1424798046000@Atlassian.JIRA>
 <JIRA.12777221.1424798046999@arcas>
Subject: [jira] [Created] (YARN-3252) YARN LinuxContainerExecutor runs as
 nobody in Simple Security mode for all applications
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Eric Yang created YARN-3252:
-------------------------------

             Summary: YARN LinuxContainerExecutor runs as nobody in Simple Security mode for all applications
                 Key: YARN-3252
                 URL: https://issues.apache.org/jira/browse/YARN-3252
             Project: Hadoop YARN
          Issue Type: Bug
    Affects Versions: 2.5.2, 2.5.1, 2.6.0, 2.4.0, 2.3.0
         Environment: Linux
            Reporter: Eric Yang
            Priority: Critical


When using YARN + Slider + LinuxContainerExecutor, all slider application are running as nobody.  This is because the modification in YARN-1253 to restrict all containers to run as a single user.  This becomes a exploite to any application that runs inside YARN + Slider + LCE.  The original behavior is more correct.  The original statement indicated that users can impersonate any other users.  This supposed to be only valid for proxy users, who can proxy as other users.  It is designed as intended that the service user needs to be trusted by the framework to impersonate end users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)