Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1137

Add support whitelist for system users to Yarn container-executor.c

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.1.0-beta
    • 2.1.1-beta
    • nodemanager
    • None
    • Reviewed

    Description

      Currently container-executor.c has a banned set of users (mapred, hdfs & bin) and configurable min.user.id (defaulting to 1000).

      This presents a problem for systems that run as system users (below 1000) if these systems want to start containers.

      Systems like Impala fit in this category. A (local) 'impala' system user is created when installing Impala on the nodes.

      Note that the same thing happens when installing system like HDFS, Yarn, Oozie, from packages (Bigtop); local system users are created.

      For Impala to be able to run containers in a secure cluster, the 'impala' system user must whitelisted.

      For this, adding a configuration 'allowed.system.users' option in the container-executor.cfg and the logic in container-executor.c would allow the usernames in that list.

      Because system users are not guaranteed to have the same UID in different machines, the 'allowed.system.users' property should use usernames and not UIDs.

      Attachments

        1. YARN-1137.patch.txt
          5 kB
          Roman Shaposhnik
        2. YARN-1137.patch2.txt
          5 kB
          Roman Shaposhnik

        Activity

          People

            rvs Roman Shaposhnik
            tucu00 Alejandro Abdelnur
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: