Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1137

Add support whitelist for system users to Yarn container-executor.c

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.0-beta
    • Fix Version/s: 2.1.1-beta
    • Component/s: nodemanager
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and configurable min.user.id (defaulting to 1000).

      This presents a problem for systems that run as system users (below 1000) if these systems want to start containers.

      Systems like Impala fit in this category. A (local) 'impala' system user is created when installing Impala on the nodes.

      Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from packages (Bigtop); local system users are created.

      For Impala to be able to run containers in a secure cluster, the 'impala' system user must whitelisted.

      For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg and the logic in container-executor.c would allow the usernames in that list.

      Because system users are not guaranteed to have the same UID in different machines, the 'allowed.system.users' property should use usernames and not UIDs.

        Attachments

        1. YARN-1137.patch2.txt
          5 kB
          Roman Shaposhnik
        2. YARN-1137.patch.txt
          5 kB
          Roman Shaposhnik

          Activity

            People

            • Assignee:
              rvs Roman Shaposhnik
              Reporter:
              tucu00 Alejandro Abdelnur
            • Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: