[YARN-1137] Add support whitelist for system users to Yarn container-executor.c - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.0-beta
Fix Version/s: 2.1.1-beta
Component/s: nodemanager
Labels:
None

Hadoop Flags:

Reviewed

Description

Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and configurable min.user.id (defaulting to 1000).

This presents a problem for systems that run as system users (below 1000) if these systems want to start containers.

Systems like Impala fit in this category. A (local) 'impala' system user is created when installing Impala on the nodes.

Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from packages (Bigtop); local system users are created.

For Impala to be able to run containers in a secure cluster, the 'impala' system user must whitelisted.

For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg and the logic in container-executor.c would allow the usernames in that list.

Because system users are not guaranteed to have the same UID in different machines, the 'allowed.system.users' property should use usernames and not UIDs.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-1137.patch2.txt
06/Sep/13 20:57
5 kB
Roman Shaposhnik
YARN-1137.patch.txt
04/Sep/13 05:11
5 kB
Roman Shaposhnik

Activity

People

Assignee:: Roman Shaposhnik

Reporter:: Alejandro Abdelnur

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 03/Sep/13 21:12

Updated:: 24/Sep/13 23:33

Resolved:: 16/Sep/13 11:03