Return-Path: <yarn-issues-return-130390-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 4D603200D3D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 13 Nov 2017 17:55:06 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 4BBC6160BF0; Mon, 13 Nov 2017 16:55:06 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 91B08160BF3
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 13 Nov 2017 17:55:05 +0100 (CET)
Received: (qmail 65237 invoked by uid 500); 13 Nov 2017 16:55:04 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 65226 invoked by uid 99); 13 Nov 2017 16:55:04 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Nov 2017 16:55:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 09EBB180803
	for <yarn-issues@hadoop.apache.org>; Mon, 13 Nov 2017 16:55:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id ykbxi-R9DnkQ for <yarn-issues@hadoop.apache.org>;
	Mon, 13 Nov 2017 16:55:03 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 4127D60F6D
	for <yarn-issues@hadoop.apache.org>; Mon, 13 Nov 2017 16:55:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1F342E0BCB
	for <yarn-issues@hadoop.apache.org>; Mon, 13 Nov 2017 16:55:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 829DC240DA
	for <yarn-issues@hadoop.apache.org>; Mon, 13 Nov 2017 16:55:00 +0000 (UTC)
Date: Mon, 13 Nov 2017 16:55:00 +0000 (UTC)
From: "Eric Yang (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.13115733.1509652717000.222623.1510592100532@Atlassian.JIRA>
In-Reply-To: <JIRA.13115733.1509652717000@Atlassian.JIRA>
References: <JIRA.13115733.1509652717000@Atlassian.JIRA> <JIRA.13115733.1509652717882@jira-lw-us.apache.org>
Subject: [jira] [Commented] (YARN-7430) User and Group mapping are incorrect
 in docker container
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Mon, 13 Nov 2017 16:55:06 -0000


    [ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16249817#comment-16249817 ] 

Eric Yang commented on YARN-7430:
---------------------------------

[~ebadger] {quote}
What about the logs written via log4j or some other logging plugin? 
{quote}

We can recommend to write log directly to HDFS via NFS Gateway mount to container.  I have done test in this area, and proved this approach works well.  The scope of these setup are application specific, which we only need documentation for clarity.

Is there any other concern to enable user/group mapping on as default?

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to enforce user and group for the running user.  In YARN-6623, this translated to --user=test --group-add=group1.  The code no longer enforce group correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group information to exist in container to translate username and group to uid/gid.  For users on LDAP, there is no good way to populate container with user and group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org