hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ray Chiang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4579) Allow container directory permissions to be configurable
Date Wed, 13 Jan 2016 20:10:39 GMT

    [ https://issues.apache.org/jira/browse/YARN-4579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15096900#comment-15096900

Ray Chiang commented on YARN-4579:

Sorry [~vinodkv], I didn't realize that replying within the JIRA may not send a notification.
 I've re-quoted my earlier comments below:

bq. I don't have all the specifics, but I have one request where they're using a third-party
tool to pull data from the container logs. The tool can't run as user 'yarn' and the hardcoded
directory permissions of 710 is preventing this tool/flow from working. I do agree it's a
bit of a weird corner case, since I'd assume this would only apply to customers that aren't
as concerned about security (at least with respect to logs).
bq. As for design, it looks like each subclass of ContainerExecutor has its own implementation
(or inherited) of startLocalizer(). Are you thinking of generalizing the directory location/permissions/other
requirements into LocalizerStartContext or did you have something else in mind?
bq. I would think that since the container log directory is the only one generated by YARN,
so there could be useful information in there. The other directories (file cache, app cache,
user directory) would be files the user could already have access to without even launching
a job, so I would expect that permissions there would be less likely to need loosening.
bq. One follow up thought, based on Robert's feedback. Does it make sense to make it a DefaultContainerExecutor
property only? For security reasons, it might make sense to give each ContainerExecutor subclass
it's own property for container log directory permissions.  If so, I can do this JIRA for
DefaultContainerExecutor and do a follow up JIRA to refactor ContainerExecutor and it's subclasses
for the other properties. I'd like a little more time to think on that.

> Allow container directory permissions to be configurable
> --------------------------------------------------------
>                 Key: YARN-4579
>                 URL: https://issues.apache.org/jira/browse/YARN-4579
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 2.8.0
>            Reporter: Ray Chiang
>            Assignee: Ray Chiang
>              Labels: supportability
>         Attachments: YARN-4579.001.patch, YARN-4579.002.patch, YARN-4579.003.patch, YARN-4579.004.patch
> By default, container directory permissions are hardcoded to this member in DefaultContainerExecutor:
>   static final short LOGDIR_PERM = (short)0710;
> There are some cases where less restrictive permissions are desired.  Make this configurable.

This message was sent by Atlassian JIRA

View raw message