hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Naganarasimha G R (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5765) LinuxContainerExecutor creates appcache and its subdirectories with wrong group owner.
Date Fri, 11 Nov 2016 06:51:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-5765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15656333#comment-15656333
] 

Naganarasimha G R commented on YARN-5765:
-----------------------------------------

@Thanks [~haibochen] & [~miklos.szegedi@cloudera.com] for some insightful comments
There are 2 other places apart from launch_container_as_user where in mkdirs are getting used.
{code}
main
RUN_AS_USER_INITIALIZE_CONTAINER
	mount_cgroup
	    mkdirs
		create_validate_dir
MOUNT_CGROUPS
	initialize_app
	    mkdirs
		create_validate_dir
{code}

IIUC only setting umask before change_effective_user would not be ideal as it would be required
in other places too.
What i want to understand is what impact would it have if we do it always ? As we never run
the container-executor.c binary with root user refer (set_user -> check_user) and would
it be sufficient to reset the umask after mkdir ?

bq. This means that by removing chmod this change does not apply to cases anymore, when the
default ACL is too restrictive. Could this be an issue, or do we rely on the admin to set
the default ACL correctly?
Good query ... something to be thought about ! not sure we will be able to handle it. One
more question is if we reset the umask after mkdir then will the container logs created will
be accessible to the NM because of restrictive rights ? would be ideal to set default ACL
for the folders created  and reset the umask so that  files created by the user under these
directories have the rightful permissions?


> LinuxContainerExecutor creates appcache and its subdirectories with wrong group owner.
> --------------------------------------------------------------------------------------
>
>                 Key: YARN-5765
>                 URL: https://issues.apache.org/jira/browse/YARN-5765
>             Project: Hadoop YARN
>          Issue Type: Bug
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>            Reporter: Haibo Chen
>            Assignee: Naganarasimha G R
>            Priority: Blocker
>         Attachments: YARN-5765.001.patch
>
>
> LinuxContainerExecutor creates usercache/\{userId\}/appcache/\{appId\} with wrong group
owner, causing Log aggregation and ShuffleHandler to fail because node manager process does
not have permission to read the files under the directory.
> This can be easily reproduced by enabling LCE and submitting a MR example job as a user
that does not belong to the same group that NM process belongs to. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message