Re: Review Request 48348: AMBARI-17089: HDFS logs not picked by log feeder with umask 0027

Andrew Onischuk Thu, 09 Jun 2016 02:45:12 -0700


> On June 9, 2016, 8:42 a.m., Andrew Onischuk wrote:
> > ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/logfeeder.py,
> >  line 47
> > <https://reviews.apache.org/r/48348/diff/2/?file=1411328#file1411328line47>
> >
> >     Why do we run logsearch components as root? This is not recommended and 
> > our users don't have this sudo permission
> 
> Andrew Onischuk wrote:
>     We can ensure that logs are readable by hadoop group. And run logsearch 
> as before (having logsearch user in hadoop group)
> 
> Andrew Onischuk wrote:
>     From our skype discussion I found out that the problem with this apporach 
> is because we need to read ambari-server and ambari-agent logs.
>     Since some customers are very cautious about running things as root, 
> especially daemons. I propose do some way around to fix this.
>     Here is my proposal:
>     
>     Add logfeeder user to hadoop group, ambari-server user default group, 
> ambari-agent default group.
>     We can do that pre-start of logfeeder to make sure we get the lastest 
> actual group.
>     
>     How to know the ambari groups.
>     - ambari-agent is easy to know while starting logfeeder. It is the group 
> of the user running the process
>     - ambari-server group is a little bit trickier to know. We can we group 
> of the owner of /var/log/ambari-server
>     
>     @Oliver @Sumit Mohanty let's discuss here if we need to implement this in 
> such a way.


The problem with this approach would be that
- if this we change group for ambari-agent or ambari-server we will have to 
restart logfeeder.
- for now ambari-server log files don't have users applied to them. So after 
upgrade from older Ambari's we will have a problem.

drwxr-xr-x. 10 slava          root   4096 Jun  9 03:41 ambari-server
-rw-r-----. 1 slava root    50099 Jun  9 08:44 ambari-alerts.log
-rw-r-----. 1 slava root  2776258 Jun  9 09:36 ambari-audit.log
-rw-r-----. 1 slava root    15769 Jun  9 08:55 ambari-config-changes.log
-rw-r-----. 1 slava root    14417 Jun  9 08:48 ambari-eclipselink.log
-rw-r-----. 1 slava root     8575 Jun  9 08:48 ambari-server-check-database.log
-rw-r-----. 1 slava root  5289611 Jun  9 09:36 ambari-server.log
-rw-r-----. 1 slava slava     374 Jun  9 07:13 ambari-server.out


- Andrew


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48348/#review136775
-----------------------------------------------------------


On June 9, 2016, 8:19 a.m., Oliver Szabo wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/48348/
> -----------------------------------------------------------
> 
> (Updated June 9, 2016, 8:19 a.m.)
> 
> 
> Review request for Ambari, Andrew Onischuk, Don Bosco Durai, Miklos Gergely, 
> Robert Nettleton, Sumit Mohanty, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-17089
>     https://issues.apache.org/jira/browse/AMBARI-17089
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> - Change logfeeder process/files to use sudo user instead of 
> logfeeder/logfeeder user/group (to make sure logfeeder can read any kind of 
> the logs).
> - solr and logsearch user both moved to hadoop group
> 
> 
> Diffs
> -----
> 
>   
> ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
>  b099a1e 
>   
> ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
>  5799288 
>   
> ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
>  09a86f2 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/configuration/logfeeder-env.xml
>  46ac4c2 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/configuration/logsearch-env.xml
>  7943cd0 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/configuration/logsearch-properties.xml
>  65dc378 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/configuration/logsearch-solr-env.xml
>  73fecb6 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/logfeeder.py
>  c0689f3 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/logsearch.py
>  2b5fdf7 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/logsearch_common.py
>  d0ac389 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/logsearch_solr.py
>  b55f3d6 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
>  7acdec2 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logfeeder.py
>  5ca2bd5 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
>  58239c7 
>   
> ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch_solr.py
>  6e71334 
>   ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py 
> bfd07b2 
>   ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logfeeder.py 
> 54e08e4 
>   ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py 
> bfe6921 
>   ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_solr.py 0590dca 
>   ambari-server/src/test/python/stacks/2.5/ATLAS/test_atlas_server.py 7127451 
>   ambari-server/src/test/python/stacks/2.5/configs/default.json 1015593 
>   ambari-web/app/data/HDP2/site_properties.js 794da25 
> 
> Diff: https://reviews.apache.org/r/48348/diff/
> 
> 
> Testing
> -------
> 
> FT: tested locally with 4 node cluster with umask 0027.
> 
> 
> Thanks,
> 
> Oliver Szabo
> 
>

Re: Review Request 48348: AMBARI-17089: HDFS logs not picked by log feeder with umask 0027

Reply via email to