diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 39d1dd3..87758b0 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -833,6 +833,15 @@ NM_PREFIX + "linux-container-executor.group"; /** + * If linux-container-executor should limit itself to one user + * when running in non-secure mode. + */ + public static final String NM_NONSECURE_MODE_LIMIT_USERS= NM_PREFIX + + "linux-container-executor.nonsecure-mode.limit-users"; + + public static final boolean DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS = true; + + /** * The UNIX user that containers will run as when Linux-container-executor * is used in nonsecure mode (a use case for this is using cgroups). */ diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 9b2b676..d918f1f 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -988,8 +988,21 @@ + This determines which of the two modes that LCE should use on a non-secure + cluster. If this value is set to true, then all containers will be launched as the user + specified in yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. If + this value is set to false, then containers will run as the user who submitted the + application. + + yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users + true + + + The UNIX user that containers will run as when Linux-container-executor - is used in nonsecure mode (a use case for this is using cgroups). + is used in nonsecure mode (a use case for this is using cgroups) if the + yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is set + to true. yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user nobody diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java index 7962da2..466fed6 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java @@ -57,6 +57,7 @@ private LCEResourcesHandler resourcesHandler; private boolean containerSchedPriorityIsSet = false; private int containerSchedPriorityAdjustment = 0; + private boolean containerLimitUsers = YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS; @Override @@ -81,6 +82,9 @@ public void setConf(Configuration conf) { nonsecureLocalUserPattern = Pattern.compile( conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY, YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN)); + containerLimitUsers=conf.getBoolean( + YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, + YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS); } void verifyUsernamePattern(String user) { @@ -92,7 +96,12 @@ void verifyUsernamePattern(String user) { } String getRunAsUser(String user) { - return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser; + if (UserGroupInformation.isSecurityEnabled() || + !containerLimitUsers) { + return user; + } else { + return nonsecureLocalUser; + } } /** diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java index f840730..3ac132f 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java @@ -279,6 +279,13 @@ public void testLocalUser() throws Exception { lce.setConf(conf); Assert.assertEquals("bar", lce.getRunAsUser("foo")); + //nonsecure without limits + conf.set(YarnConfiguration.NM_NONSECURE_MODE_LOCAL_USER_KEY, "bar"); + conf.set(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, "false"); + lce = new LinuxContainerExecutor(); + lce.setConf(conf); + Assert.assertEquals("foo", lce.getRunAsUser("foo")); + //secure conf = new YarnConfiguration(); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,