hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Badger (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-4266) Allow users to enter containers as UID:GID pair instead of by username
Date Tue, 19 Sep 2017 15:22:01 GMT

     [ https://issues.apache.org/jira/browse/YARN-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eric Badger updated YARN-4266:
------------------------------
    Attachment: YARN-4266.004.patch

[~jlowe], thanks for the review!

bq. These comments don't match the code:

Fixed the code to match the comments.

bq. Should we handle ExitCodeException or other types of exceptions that might happen (e.g.:
"no such user" type of errors) explicitly when running the id command so we can provide a
better debug experience, or is the exception message enough info to debug issues?

ContainerExecutionException doesn't have a constructor with both a string and a throwable,
so I just removed the string part. That way it will correctly parse the information in the
throwable that comes from the failed command.

bq. Also I found it odd that getUserIdInfo and getGroupIdInfo take a parameter for the id
command but these methods are highly dependent upon the "right" parameter being passed in
order to function properly. They are each only called in one place, and IMHO there's no reason
to make this parameterized given the parsing code needs the corresponding parameter to be
correct. We should just remove the parameter and have it passed directly.

Yep, good call. Removed the parameter and hardcoded in the "-u" and "-G" into the respective
method.

> Allow users to enter containers as UID:GID pair instead of by username
> ----------------------------------------------------------------------
>
>                 Key: YARN-4266
>                 URL: https://issues.apache.org/jira/browse/YARN-4266
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn
>            Reporter: Sidharta Seethana
>            Assignee: luhuichun
>         Attachments: YARN-4266.001.patch, YARN-4266.001.patch, YARN-4266.002.patch, YARN-4266.003.patch,
YARN-4266.004.patch, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping.pdf, YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v2.pdf,
YARN-4266_Allow_whitelisted_users_to_disable_user_re-mapping_v3.pdf, YARN-4266-branch-2.8.001.patch
>
>
> Docker provides a mechanism (the --user switch) that enables us to specify the user the
container processes should run as. We use this mechanism today when launching docker containers
. In non-secure mode, we run the docker container based on `yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user`
and in secure mode, as the submitting user. However, this mechanism breaks down with a large
number of 'pre-created' images which don't necessarily have the users available within the
image. Examples of such images include shared images that need to be used by multiple users.
We need a way in which we can allow a pre-defined set of users to run containers based on
existing images, without using the --user switch. There are some implications of disabling
this user squashing that we'll need to work through : log aggregation, artifact deletion etc.,



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message