hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Templeton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5771) Provide option to send env to be whitelisted in ContainerLaunchContext
Date Wed, 26 Oct 2016 20:33:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-5771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15609586#comment-15609586
] 

Daniel Templeton commented on YARN-5771:
----------------------------------------

#2 is required to keep this approach from reopening the security hole.  Even with that, though,
it makes me a little uncomfortable.  I'd prefer security to be inclusive ("allow these things")
rather than exclusive ("don't allow these things") because it's easy to forget to add something
to the black list.

What about the approach outlined in [https://hadoop.apache.org/docs/r3.0.0-alpha1/hadoop-mapreduce-client/hadoop-mapreduce-client-core/DistributedCacheDeploy.html]?
 It solves the issue handily.  You can also just add {noformat}    <property>
        <name>mapreduce.admin.user.env</name>
        <value>HADOOP_MAPRED_HOME=$HADOOP_MAPRED_HOME</value>
    </property>
    <property>
        <name>yarn.app.mapreduce.am.env</name>
        <value>HADOOP_MAPRED_HOME=$HADOOP_MAPRED_HOME</value>
    </property>{noformat} to the {{mapred-site.xml}} file to resolve the issue in many
cases.

In my opinion the problem is not so much that anything is broken or needs to be fixed, but
that we need to do a better job of documenting the options for configuring a cluster in the
post-env-var-leak-fix world.

> Provide option to send env to be whitelisted in ContainerLaunchContext 
> -----------------------------------------------------------------------
>
>                 Key: YARN-5771
>                 URL: https://issues.apache.org/jira/browse/YARN-5771
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Bibin A Chundatt
>            Assignee: Bibin A Chundatt
>         Attachments: container-whitelist-env-wip.patch
>
>
> As per current implementation ENV to be white listed for container launch is are configured
as part of {{yarn.nodemanager.env-whitelist}}
> Specific to container we cannot specify additional ENV properties to be whitelisted.
As part of this jira we are providing an option to provide additional whitelist ENV.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message