diff --git hadoop-common-project/hadoop-common/src/site/apt/ClusterSetup.apt.vm hadoop-common-project/hadoop-common/src/site/apt/ClusterSetup.apt.vm index 1217544..cae366a 100644 --- hadoop-common-project/hadoop-common/src/site/apt/ClusterSetup.apt.vm +++ hadoop-common-project/hadoop-common/src/site/apt/ClusterSetup.apt.vm @@ -929,6 +929,8 @@ KVNO Timestamp Principal *-------------------------+-------------------------+------------------------+ | <<>> | hfds,yarn,mapred,bin | Banned users. | *-------------------------+-------------------------+------------------------+ +| <<>> | foo,bar | Allowed system users. | +*-------------------------+-------------------------+------------------------+ | <<>> | 1000 | Prevent other super-users. | *-------------------------+-------------------------+------------------------+ diff --git hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg index fe1d680..d68cee8 100644 --- hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg +++ hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg @@ -1,3 +1,4 @@ yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodemanager.linux-container-executor.group banned.users=#comma separated list of users who can not run applications min.user.id=1000#Prevent other super-users +allowed.system.users=##comma separated list of system users who CAN run applications diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c index af44377..307e0fa 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include @@ -492,6 +493,21 @@ static struct passwd* get_user_info(const char* user) { return result; } +int is_whitelisted(const char *user) { + char **whitelist = get_values(ALLOWED_SYSTEM_USERS_KEY); + char **users = whitelist; + if (whitelist != NULL) { + for(; *users; ++users) { + if (strncmp(*users, user, LOGIN_NAME_MAX) == 0) { + free_values(whitelist); + return 1; + } + } + free_values(whitelist); + } + return 0; +} + /** * Is the user a real user account? * Checks: @@ -526,9 +542,9 @@ struct passwd* check_user(const char *user) { fflush(LOGFILE); return NULL; } - if (user_info->pw_uid < min_uid) { - fprintf(LOGFILE, "Requested user %s has id %d, which is below the " - "minimum allowed %d\n", user, user_info->pw_uid, min_uid); + if (user_info->pw_uid < min_uid && !is_whitelisted(user)) { + fprintf(LOGFILE, "Requested user %s is not whitelisted and has id %d," + "which is below the minimum allowed %d\n", user, user_info->pw_uid, min_uid); fflush(LOGFILE); free(user_info); return NULL; diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h index ec5a374..581ba04 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h @@ -65,6 +65,7 @@ enum errorcodes { #define CREDENTIALS_FILENAME "container_tokens" #define MIN_USERID_KEY "min.user.id" #define BANNED_USERS_KEY "banned.users" +#define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users" #define TMP_DIR "tmp" extern struct passwd *user_detail; diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c index 2563fa6..b2d7d6f 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c @@ -99,6 +99,7 @@ int write_config_file(char *file_name) { } fprintf(file, "banned.users=bannedUser\n"); fprintf(file, "min.user.id=500\n"); + fprintf(file, "allowed.system.users=allowedUser,bin\n"); fclose(file); return 0; } @@ -195,6 +196,10 @@ void test_check_user() { printf("FAIL: failed check for system user root\n"); exit(1); } + if (check_user("bin") == NULL) { + printf("FAIL: failed check for whitelisted system user bin\n"); + exit(1); + } } void test_resolve_config_path() {