hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-4266) Allow users to enter containers as UID:GID pair instead of by username
Date Sat, 26 Aug 2017 22:34:02 GMT

    [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16142956#comment-16142956

Eric Yang commented on YARN-4266:

[~daniel@cloudera.com]  LDAP group mapping contains a number of limitations, like nested OU
in AD, or non-standardized LDAP schema support.  Application specific LDAP configuration usually
have some limitations on supporting wide variety of LDAP servers.  LDAP group mapping is a
proof of concept module, and not recommended for production workload.  Secure cluster requires
to use Linux Container Executor, which requires the program to run as unix user that exists
in LInux environment.  Instead of letting people to run insecure cluster with proof of concept
module.  I would recommend to customer to support PAM for improving their security practices.
 Any self respected Linux administrator would not trust application to tap directly to enterprise
LDAP server.

> Allow users to enter containers as UID:GID pair instead of by username
> ----------------------------------------------------------------------
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: luhuichun
>         Attachments: YARN-4266.001.patch, YARN-4266.001.patch, YARN-4266.002.patch, YARN-4266.003.patch,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf, YARN-4266-branch-2.8.001.patch
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message