Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1253

Changes to LinuxContainerExecutor to run containers as a single dedicated user in non-secure mode

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 2.1.0-beta
    • 2.3.0
    • nodemanager
    • None
    • Reviewed

    Description

      When using cgroups we require LCE to be configured in the cluster to start containers.

      When LCE starts containers as the user that submitted the job. While this works correctly in a secure setup, in an un-secure setup this presents a couple issues:

      • LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
      • Because users can impersonate other users, any user would have access to any local file of other users

      Particularly, the second issue is not desirable as a user could get access to ssh keys of other users in the nodes or if there are NFS mounts, get to other users data outside of the cluster.

      Attachments

        1. YARN-1253.patch.txt
          33 kB
          Roman Shaposhnik

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. YARN-2424 LCE should support non-cgroups, non-secure mode

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              rvs Roman Shaposhnik
              tucu00 Alejandro Abdelnur
              Votes:
              0 Vote for this issue
              Watchers:
              22 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: