hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-7540) Convert yarn app cli to call yarn api services
Date Sat, 06 Jan 2018 07:18:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-7540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16314423#comment-16314423

Eric Yang commented on YARN-7540:

Hadoop officially supports two distinct security modes, SIMPLE and Kerberos.  Simple mode
was designed to run everything in the same user space for single user mode.  Kerberos supports
multi-user mode using in combination with Linux task controller to provide security.  However,
Linux task controller with SIMPLE security creates a third combination which should not be
support because this combination has a privilege escalation security hole that it allows any
user to impersonate as any other user without any verification of end user credential.  The
implementation of YARN-7540 and YARN-7605 blocked the third mode from working because REST
API without authentication fallback to {{hadoop.http.staticuser.user}} setting to look for
deployment artifacts.  This is the reason that Gour is seeing dr.who when YARN-7605 is applied.
 If down stream project depends on the third mode, then I recommend to evaluate the usage
of down stream project to prevent opening up more security holes.  Security problem is not
going to be solved by reverting this patch, quite the opposite that you allow security hole
to remain in the system, and potentially assisted to open up more security holes in downstream
projects.  This is the reason that I take no part in reverting this patch.  Feel free to commit
again once you verified YARN-7605 matches your expectation.

> Convert yarn app cli to call yarn api services
> ----------------------------------------------
>                 Key: YARN-7540
>                 URL: https://issues.apache.org/jira/browse/YARN-7540
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>             Fix For: yarn-native-services
>         Attachments: YARN-7540.001.patch, YARN-7540.002.patch, YARN-7540.003.patch, YARN-7540.004.patch,
YARN-7540.005.patch, YARN-7540.006.patch
> For YARN docker application to launch through CLI, it works differently from launching
through REST API.  All application launched through REST API is currently stored in yarn user
HDFS home directory.  Application managed through CLI are stored into individual user's HDFS
home directory.  For consistency, we want to have yarn app cli to interact with API service
to manage applications.  For performance reason, it is easier to implement list all applications
from one user's home directory instead of crawling all user's home directories.  For security
reason, it is safer to access only one user home directory instead of all users.  Given the
reasons above, the proposal is to change how {{yarn app -launch}}, {{yarn app -list}} and
{{yarn app -destroy}} work.  Instead of calling HDFS API and RM API to launch containers,
CLI will be converted to call API service REST API resides in RM.  RM perform the persist
and operations to launch the actual application.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message