Re: Update : Run each component of application as different user working - except stop command

[Manoj Samel]

Hi Josh,

Mapreduce in secured cluster already works like this - the jobs are run
using end user logins - not as some admin login. This is key security
feature and ensures no rogue jobs can interfere with each other or do some
linux level access.

So this feature will bring slider component security in parity with what
the traditional map-reduce does. I believe this will be important feature
as slider gets more adoption for running custom services ( beyond Hbase
etc. which could be run as single user)

Thanks,

Manoj

On Wed, May 4, 2016 at 7:28 AM, Josh Elser  wrote:

> Manoj Samel wrote:
>
>> 1. I have loggedhttps://issues.apache.org/jira/browse/SLIDER-1114  to
>> describe the use case in detail as a new feature request. Josh - regarding
>> your suggestion on launching each component as separate app; I have added
>> a
>> comment in Jira on why that is not feasible - hope that explains the
>> reason
>> for ask
>>
>
> Thanks for the details, Manoj.
>
> I'm still a little worried about the scope of the change since it's not at
> all what Slide was originally intending to do, but don't let me stop you
> from working it out!
>

Re: Update : Run each component of application as different user working - except stop command

[Josh Elser]

Manoj Samel wrote:

1. I have loggedhttps://issues.apache.org/jira/browse/SLIDER-1114  to
describe the use case in detail as a new feature request. Josh - regarding
your suggestion on launching each component as separate app; I have added a
comment in Jira on why that is not feasible - hope that explains the reason
for ask


Thanks for the details, Manoj.

I'm still a little worried about the scope of the change since it's not 
at all what Slide was originally intending to do, but don't let me stop 
you from working it out!

Update : Run each component of application as different user working - except stop command

[Manoj Samel]

> >
> > 2) With the setuid option, the component Execute() command is not java
> but
> > the path to my C executable and its parameters e.g. "/a/b/processlauncher
> > arg1 arg2". When I run this, the parent of this dies quickly -- but I was
> > able to capture the parent process before it dies. The parent is NOT
> > "/bin/bash --login -c " as I was expecting but is "/usr/bin/python -S
>  > to component script.py> START
> >
> >
> /xxx/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/command-2.json
> >
> >
> /xxx/appcache/application_1461117905837_0276/filecache/11/spas-1.0.0.zip/package
> >
> >
> /xyz/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/structured-out-2.json
> > INFO
> >
> >
> /foo/application_1461117905837_0276/container_e13_1461117905837_0276_01_02
> >
> > It appears that when the component is a executable, rather than Java (as
> > was in case 1), it is run as Python script !  Any idea why ? Could this
> be
> > reason why the parent process is dying quickly ?
> >
> > I also tried this with a simple C program as component that does nothing
> > but loops infinitely. I.e. without it being setuid or doing other
> execle()
> > etc. Even with the simple C binary, I see above behavior. So something
> > different about using a executable rather than Java command as component
> > ??? Should I execute the C binary component in different manner ?
> >
> > Any guidance on this will be really appreciated 
> >
> >
> > Thanks,
> >
> > Manoj
> >
> > -- Forwarded message --
> > From: Manoj Samel <manojsamelt...@gmail.com>
> > Date: Thu, Apr 21, 2016 at 2:40 PM
> > Subject: Need Help !: Run each component of application as different user
> > To: dev@slider.incubator.apache.org
> >
> >
> > Hi,
> >
> > See use case background below
> >
> > I have implemented option 2 mentioned below (as a C program deployed on
> > nodes as setuid root binary). Need help in debugging issue I am seeing
> >
> > Without the setuid option, the execution is
> >
> > 1. Launch Slider AM as user "A"
> > 2. Launch java component using command like "java -cp ". These run as
> > user "A" as well. Things run well
> >
> > With setuid root option, the execution is
> >
> > 1. Launch slider AM as user "A" as before
> > 2. Instead of launching java program as the component, launch the setuid
> > program as a component. The program gets the end user name , say "B" as
> > parameter. It does a setuid() and setgid() to user "B" (remember, its
> > running as setuid root) and does a "execle()" for the java component,
> > setting java parameters etc.
> >
> > The component comes up fine but I noticed that the "status" command fails
> > ... Digging further, it seems that the parent process dies when I use the
> > setuid
> >
> > With the normal execution, I noticed that there are two processes
> launched
> > for a component on a node. The first process is "/bin/bash --login -c
> java
> > ..." coming from my Execute() (which is traced to sliders
> > resource_management/core/shell.py. The child process then is "java xxx".
> > User for both processes is user "A"
> >
> > With the setuid execution, the parent process dies quickly. The child
> > process gets orphaned and gets parent process ID as 1 (and is running as
> > user "B")
> >
> > Any help in identifying why is the parent process dying ?
> >
> > Thanks in advance !!
> >
> > Manoj
> >
> > PS : Please ignore my last mail sent with same title few minutes back. I
> > hit return by mistake when it was not complete :(
> >
> > On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel <manojsamelt...@gmail.com>
> > wrote:
> >
> > > Hello,
> > >
> > > Environment is slider .80 on Hadoop 2.6 secured cluster
> > >
> > > A component is launched for each distinct user of the service (via
> > > upgrade). E.g. when user A accesses service, do a "upgrade" and create
> a
> > > component for user A. When user B comes, create another component for
> > user
> > > B etc.
> > >
> > > At present, all of these components are launched & run as single linux
> > > user. What are the options to run each component as different user ?
> &

Re: (2nd attempt) Need Help !: Run each component of application as different user

[Billie Rinaldi]

Hi Manoj,

The "/usr/bin/python -S  START ..." command
looks normal; that is how the component scripts are executed.  I would
expect this to be the parent of the "/bin/bash --login -c " process.  If you're seeing the python as the parent of the
Execute command, it is probably not why your process is failing.  One thing
you can do is add logoutput=True to your Execute command; maybe that will
show you the error that is happening.

I wonder if the problem is related to the use of execle.  I understand that
exec commands replace the current process rather than creating a child
process, like the system command would.  Perhaps if you used the system
command in your C code, that would produce a different result.

Billie

On Fri, Apr 22, 2016 at 12:17 PM, Manoj Samel <manojsamelt...@gmail.com>
wrote:

> Hello Again !
>
> One more observation .. hopefully that triggers some feedback from this
> forum ...
>
> 1) Without the setuid option, the component Execute() command is "java -Dxx
> -cp yy abc" etc. This runs fine. On the node running the component, I can
> see this process as well its parent process as "/bin/bash --login -c java
> -Dxx -cp yy abc" etc. So all is good and parent process is the shell as
> expected
>
> 2) With the setuid option, the component Execute() command is not java but
> the path to my C executable and its parameters e.g. "/a/b/processlauncher
> arg1 arg2". When I run this, the parent of this dies quickly -- but I was
> able to capture the parent process before it dies. The parent is NOT
> "/bin/bash --login -c " as I was expecting but is "/usr/bin/python -S  to component script.py> START
>
> /xxx/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/command-2.json
>
> /xxx/appcache/application_1461117905837_0276/filecache/11/spas-1.0.0.zip/package
>
> /xyz/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/structured-out-2.json
> INFO
>
> /foo/application_1461117905837_0276/container_e13_1461117905837_0276_01_02
>
> It appears that when the component is a executable, rather than Java (as
> was in case 1), it is run as Python script !  Any idea why ? Could this be
> reason why the parent process is dying quickly ?
>
> I also tried this with a simple C program as component that does nothing
> but loops infinitely. I.e. without it being setuid or doing other execle()
> etc. Even with the simple C binary, I see above behavior. So something
> different about using a executable rather than Java command as component
> ??? Should I execute the C binary component in different manner ?
>
> Any guidance on this will be really appreciated 
>
>
> Thanks,
>
> Manoj
>
> -- Forwarded message --
> From: Manoj Samel <manojsamelt...@gmail.com>
> Date: Thu, Apr 21, 2016 at 2:40 PM
> Subject: Need Help !: Run each component of application as different user
> To: dev@slider.incubator.apache.org
>
>
> Hi,
>
> See use case background below
>
> I have implemented option 2 mentioned below (as a C program deployed on
> nodes as setuid root binary). Need help in debugging issue I am seeing
>
> Without the setuid option, the execution is
>
> 1. Launch Slider AM as user "A"
> 2. Launch java component using command like "java -cp ". These run as
> user "A" as well. Things run well
>
> With setuid root option, the execution is
>
> 1. Launch slider AM as user "A" as before
> 2. Instead of launching java program as the component, launch the setuid
> program as a component. The program gets the end user name , say "B" as
> parameter. It does a setuid() and setgid() to user "B" (remember, its
> running as setuid root) and does a "execle()" for the java component,
> setting java parameters etc.
>
> The component comes up fine but I noticed that the "status" command fails
> ... Digging further, it seems that the parent process dies when I use the
> setuid
>
> With the normal execution, I noticed that there are two processes launched
> for a component on a node. The first process is "/bin/bash --login -c java
> ..." coming from my Execute() (which is traced to sliders
> resource_management/core/shell.py. The child process then is "java xxx".
> User for both processes is user "A"
>
> With the setuid execution, the parent process dies quickly. The child
> process gets orphaned and gets parent process ID as 1 (and is running as
> user "B")
>
> Any help in identifying why is the parent process dying ?
>
> Thanks in advance !!
>
> Manoj
>
> PS : Please ignore my last mail sent with same tit

Re: (2nd attempt) Need Help !: Run each component of application as different user

[Josh Elser]

I'm re-reading all of your prior messages (we're all volunteers here, so 
please be patient before resending messages asking for more prompt 
help). I'm confused as to your original goal.


You say you're using the Slider upgrade command to dynamically launch a 
new container in a Slider application on-demand? Why not just launch a 
new Slider application when a new user requests your service.


Also, you mentioned a couple of places where you thought the code was 
doing something incorrectly. Please feel free to create JIRA issues and 
provide a test+patch for the change you think would be better.


Manoj Samel wrote:

Hello Again !

One more observation .. hopefully that triggers some feedback from this
forum ...

1) Without the setuid option, the component Execute() command is "java -Dxx
-cp yy abc" etc. This runs fine. On the node running the component, I can
see this process as well its parent process as "/bin/bash --login -c java
-Dxx -cp yy abc" etc. So all is good and parent process is the shell as
expected

2) With the setuid option, the component Execute() command is not java but
the path to my C executable and its parameters e.g. "/a/b/processlauncher
arg1 arg2". When I run this, the parent of this dies quickly -- but I was
able to capture the parent process before it dies. The parent is NOT
"/bin/bash --login -c " as I was expecting but is "/usr/bin/python -S  START
/xxx/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/command-2.json
/xxx/appcache/application_1461117905837_0276/filecache/11/spas-1.0.0.zip/package
/xyz/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/structured-out-2.json
INFO
/foo/application_1461117905837_0276/container_e13_1461117905837_0276_01_02

It appears that when the component is a executable, rather than Java (as
was in case 1), it is run as Python script !  Any idea why ? Could this be
reason why the parent process is dying quickly ?

I also tried this with a simple C program as component that does nothing
but loops infinitely. I.e. without it being setuid or doing other execle()
etc. Even with the simple C binary, I see above behavior. So something
different about using a executable rather than Java command as component
??? Should I execute the C binary component in different manner ?

Any guidance on this will be really appreciated 


Thanks,

Manoj

-- Forwarded message --
From: Manoj Samel<manojsamelt...@gmail.com>
Date: Thu, Apr 21, 2016 at 2:40 PM
Subject: Need Help !: Run each component of application as different user
To: dev@slider.incubator.apache.org


Hi,

See use case background below

I have implemented option 2 mentioned below (as a C program deployed on
nodes as setuid root binary). Need help in debugging issue I am seeing

Without the setuid option, the execution is

1. Launch Slider AM as user "A"
2. Launch java component using command like "java -cp ". These run as
user "A" as well. Things run well

With setuid root option, the execution is

1. Launch slider AM as user "A" as before
2. Instead of launching java program as the component, launch the setuid
program as a component. The program gets the end user name , say "B" as
parameter. It does a setuid() and setgid() to user "B" (remember, its
running as setuid root) and does a "execle()" for the java component,
setting java parameters etc.

The component comes up fine but I noticed that the "status" command fails
... Digging further, it seems that the parent process dies when I use the
setuid

With the normal execution, I noticed that there are two processes launched
for a component on a node. The first process is "/bin/bash --login -c java
..." coming from my Execute() (which is traced to sliders
resource_management/core/shell.py. The child process then is "java xxx".
User for both processes is user "A"

With the setuid execution, the parent process dies quickly. The child
process gets orphaned and gets parent process ID as 1 (and is running as
user "B")

Any help in identifying why is the parent process dying ?

Thanks in advance !!

Manoj

PS : Please ignore my last mail sent with same title few minutes back. I
hit return by mistake when it was not complete :(

On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel<manojsamelt...@gmail.com>
wrote:


Hello,

Environment is slider .80 on Hadoop 2.6 secured cluster

A component is launched for each distinct user of the service (via
upgrade). E.g. when user A accesses service, do a "upgrade" and create a
component for user A. When user B comes, create another component for user
B etc.

At present, all of these components are launched&  run as single linux
user. What are the options to run each component as different user ?

Following are couple of options I can think of, each involving

(2nd attempt) Need Help !: Run each component of application as different user

[Manoj Samel]

Hello Again !

One more observation .. hopefully that triggers some feedback from this
forum ...

1) Without the setuid option, the component Execute() command is "java -Dxx
-cp yy abc" etc. This runs fine. On the node running the component, I can
see this process as well its parent process as "/bin/bash --login -c java
-Dxx -cp yy abc" etc. So all is good and parent process is the shell as
expected

2) With the setuid option, the component Execute() command is not java but
the path to my C executable and its parameters e.g. "/a/b/processlauncher
arg1 arg2". When I run this, the parent of this dies quickly -- but I was
able to capture the parent process before it dies. The parent is NOT
"/bin/bash --login -c " as I was expecting but is "/usr/bin/python -S  START
/xxx/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/command-2.json
/xxx/appcache/application_1461117905837_0276/filecache/11/spas-1.0.0.zip/package
/xyz/application_1461117905837_0276/container_e13_1461117905837_0276_01_02/structured-out-2.json
INFO
/foo/application_1461117905837_0276/container_e13_1461117905837_0276_01_02

It appears that when the component is a executable, rather than Java (as
was in case 1), it is run as Python script !  Any idea why ? Could this be
reason why the parent process is dying quickly ?

I also tried this with a simple C program as component that does nothing
but loops infinitely. I.e. without it being setuid or doing other execle()
etc. Even with the simple C binary, I see above behavior. So something
different about using a executable rather than Java command as component
??? Should I execute the C binary component in different manner ?

Any guidance on this will be really appreciated 


Thanks,

Manoj

-- Forwarded message --
From: Manoj Samel <manojsamelt...@gmail.com>
Date: Thu, Apr 21, 2016 at 2:40 PM
Subject: Need Help !: Run each component of application as different user
To: dev@slider.incubator.apache.org


Hi,

See use case background below

I have implemented option 2 mentioned below (as a C program deployed on
nodes as setuid root binary). Need help in debugging issue I am seeing

Without the setuid option, the execution is

1. Launch Slider AM as user "A"
2. Launch java component using command like "java -cp ". These run as
user "A" as well. Things run well

With setuid root option, the execution is

1. Launch slider AM as user "A" as before
2. Instead of launching java program as the component, launch the setuid
program as a component. The program gets the end user name , say "B" as
parameter. It does a setuid() and setgid() to user "B" (remember, its
running as setuid root) and does a "execle()" for the java component,
setting java parameters etc.

The component comes up fine but I noticed that the "status" command fails
... Digging further, it seems that the parent process dies when I use the
setuid

With the normal execution, I noticed that there are two processes launched
for a component on a node. The first process is "/bin/bash --login -c java
..." coming from my Execute() (which is traced to sliders
resource_management/core/shell.py. The child process then is "java xxx".
User for both processes is user "A"

With the setuid execution, the parent process dies quickly. The child
process gets orphaned and gets parent process ID as 1 (and is running as
user "B")

Any help in identifying why is the parent process dying ?

Thanks in advance !!

Manoj

PS : Please ignore my last mail sent with same title few minutes back. I
hit return by mistake when it was not complete :(

On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel <manojsamelt...@gmail.com>
wrote:

> Hello,
>
> Environment is slider .80 on Hadoop 2.6 secured cluster
>
> A component is launched for each distinct user of the service (via
> upgrade). E.g. when user A accesses service, do a "upgrade" and create a
> component for user A. When user B comes, create another component for user
> B etc.
>
> At present, all of these components are launched & run as single linux
> user. What are the options to run each component as different user ?
>
> Following are couple of options I can think of, each involving starting as
> root and then setting the uid / gid to the desired user
>
> 1. Launch the java command using "sudo". Then at the start, the Java
> program sets its real uid to the target user (passed as option to program)
> using a small C function used as JNI call. From then on, it runs as that
> effective user for rest of its life. One open research question is - Since
> sudo has to be run by a non-root user, then the sudoer need to be updated
> to allow this without password. Not yet sure what command should the sudoer
> s

Re: Need Help !: Run each component of application as different user

[Manoj Samel]

Forgot to mention some digging I did ... initially to check the status
check failures ...

In the component's python management script, for the status check call, I
had the status use the check_process_status() function provided by slider
and used in many examples ; like below ...

def status(self, env):

import xyz

env.set_params(xyz)

logger = self.getLogger()

logger.info('*** method = status ***')

check_process_status(xyz.pid_file)

def start(self, env):

import xyz

env.set_params(xyz)

self.configure(env)

Execute( . )

Looking into check_process_status() implementation in
resource_management/libraries/functions/check_process_status.py; it reads
the pid file, gets the PID from it and does a kill(pid,0) on it to check
process status.

1) I think this check is not comprehensive. kill 0 can be sent to any
process belonging to that user. It does not need to be the component
process. E.g. if the component dies and another process started by that
user on cluster gets the same PID, the kill (pid,0) will succeed, which it
should not in this case. I think this should be tightened ...

2) When I switched the user running the component by using the setuid
option I mentioned, I thought the kill(pid,0) will fail since parent
process is the user who launched initial component process using "bash
--login -c xxx" (which is same as user who launches the slider AM) and
child process user is switched to some other user using the setuid program.
kill 0 to another users process will fail. Hence I changed the status()
method in my components python script to do my own check. The parent
process still dies ...

Is it correct to assume that the status check is done by the parent process
which is "/bin/bash --login ..." and which launches a subprocess as
specified in execute(). Can someone confirm this ?

On Thu, Apr 21, 2016 at 2:40 PM, Manoj Samel 
wrote:

> Hi,
>
> See use case background below
>
> I have implemented option 2 mentioned below (as a C program deployed on
> nodes as setuid root binary). Need help in debugging issue I am seeing
>
> Without the setuid option, the execution is
>
> 1. Launch Slider AM as user "A"
> 2. Launch java component using command like "java -cp ". These run as
> user "A" as well. Things run well
>
> With setuid root option, the execution is
>
> 1. Launch slider AM as user "A" as before
> 2. Instead of launching java program as the component, launch the setuid
> program as a component. The program gets the end user name , say "B" as
> parameter. It does a setuid() and setgid() to user "B" (remember, its
> running as setuid root) and does a "execle()" for the java component,
> setting java parameters etc.
>
> The component comes up fine but I noticed that the "status" command fails
> ... Digging further, it seems that the parent process dies when I use the
> setuid
>
> With the normal execution, I noticed that there are two processes launched
> for a component on a node. The first process is "/bin/bash --login -c
> java ..." coming from my Execute() (which is traced to sliders
> resource_management/core/shell.py. The child process then is "java xxx".
> User for both processes is user "A"
>
> With the setuid execution, the parent process dies quickly. The child
> process gets orphaned and gets parent process ID as 1 (and is running as
> user "B")
>
> Any help in identifying why is the parent process dying ?
>
> Thanks in advance !!
>
> Manoj
>
> PS : Please ignore my last mail sent with same title few minutes back. I
> hit return by mistake when it was not complete :(
>
> On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel 
> wrote:
>
>> Hello,
>>
>> Environment is slider .80 on Hadoop 2.6 secured cluster
>>
>> A component is launched for each distinct user of the service (via
>> upgrade). E.g. when user A accesses service, do a "upgrade" and create a
>> component for user A. When user B comes, create another component for user
>> B etc.
>>
>> At present, all of these components are launched & run as single linux
>> user. What are the options to run each component as different user ?
>>
>> Following are couple of options I can think of, each involving starting
>> as root and then setting the uid / gid to the desired user
>>
>> 1. Launch the java command using "sudo". Then at the start, the Java
>> program sets its real uid to the target user (passed as option to program)
>> using a small C function used as JNI call. From then on, it runs as that
>> effective user for rest of its life. One open research question is - Since
>> sudo has to be run by a non-root user, then the sudoer need to be updated
>> to allow this without password. Not yet sure what command should the sudoer
>> should contain, as this is launched by python class.
>>
>> 2. Have a C executable that is setUID root. Launch this executable as
>> component (with user as one of the parameter). The 

Need Help !: Run each component of application as different user

[Manoj Samel]

Hi,

See use case background below

I have implemented option 2 mentioned below (as a C program deployed on
nodes as setuid root binary). Need help in debugging issue I am seeing

Without the setuid option, the execution is

1. Launch Slider AM as user "A"
2. Launch java component using command like "java -cp ". These run as
user "A" as well. Things run well

With setuid root option, the execution is

1. Launch slider AM as user "A" as before
2. Instead of launching java program as the component, launch the setuid
program as a component. The program gets the end user name , say "B" as
parameter. It does a setuid() and setgid() to user "B" (remember, its
running as setuid root) and does a "execle()" for the java component,
setting java parameters etc.

The component comes up fine but I noticed that the "status" command fails
... Digging further, it seems that the parent process dies when I use the
setuid

With the normal execution, I noticed that there are two processes launched
for a component on a node. The first process is "/bin/bash --login -c java
..." coming from my Execute() (which is traced to sliders
resource_management/core/shell.py. The child process then is "java xxx".
User for both processes is user "A"

With the setuid execution, the parent process dies quickly. The child
process gets orphaned and gets parent process ID as 1 (and is running as
user "B")

Any help in identifying why is the parent process dying ?

Thanks in advance !!

Manoj

PS : Please ignore my last mail sent with same title few minutes back. I
hit return by mistake when it was not complete :(

On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel 
wrote:

> Hello,
>
> Environment is slider .80 on Hadoop 2.6 secured cluster
>
> A component is launched for each distinct user of the service (via
> upgrade). E.g. when user A accesses service, do a "upgrade" and create a
> component for user A. When user B comes, create another component for user
> B etc.
>
> At present, all of these components are launched & run as single linux
> user. What are the options to run each component as different user ?
>
> Following are couple of options I can think of, each involving starting as
> root and then setting the uid / gid to the desired user
>
> 1. Launch the java command using "sudo". Then at the start, the Java
> program sets its real uid to the target user (passed as option to program)
> using a small C function used as JNI call. From then on, it runs as that
> effective user for rest of its life. One open research question is - Since
> sudo has to be run by a non-root user, then the sudoer need to be updated
> to allow this without password. Not yet sure what command should the sudoer
> should contain, as this is launched by python class.
>
> 2. Have a C executable that is setUID root. Launch this executable as
> component (with user as one of the parameter). The first thing it does is
> drops its UID to the target user and then does a exec "java xxx", running
> java as the target user
>
> Any other out-of-box options ?
> In resource_management/core/resources/system.py, I noticed that class
> Execute can take a parameter "user" <  user = ResourceArgument() >. Its not
> clear if and how this could be used. In core/shell.py, the logic around
> "user" is commented out with comment " Do not su to the supplied user" ..
>
> Any feedback on approach / pros / cons / potential issues will be
> appreciated !
>
> Thanks,
>
> Manoj
>
>
>

Need help !: Run each component of application as different user

[Manoj Samel]

Hi,


See use case background below

I have implemented option 2 below. Need help in debugging issue I am seeing

Without the setuid option, the execution is

1. Launch Slider AM as user "A"
2. Launch java component using command like "java -cp ". These run as
user "A" as well

With setuid root option, the execution is

1. Launch slider AM as user "A" as before
2. Instead of launching java program as the component, launch the setuid
program as a component. The program gets the end user name , say "B" as
parameter.
It does a set_user to "B" and does a "exec" for the java component




On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel 
wrote:

> Hello,
>
> Environment is slider .80 on Hadoop 2.6 secured cluster
>
> A component is launched for each distinct user of the service (via
> upgrade). E.g. when user A accesses service, do a "upgrade" and create a
> component for user A. When user B comes, create another component for user
> B etc.
>
> At present, all of these components are launched & run as single linux
> user. What are the options to run each component as different user ?
>
> Following are couple of options I can think of, each involving starting as
> root and then setting the uid / gid to the desired user
>
> 1. Launch the java command using "sudo". Then at the start, the Java
> program sets its real uid to the target user (passed as option to program)
> using a small C function used as JNI call. From then on, it runs as that
> effective user for rest of its life. One open research question is - Since
> sudo has to be run by a non-root user, then the sudoer need to be updated
> to allow this without password. Not yet sure what command should the sudoer
> should contain, as this is launched by python class.
>
> 2. Have a C executable that is setUID root. Launch this executable as
> component (with user as one of the parameter). The first thing it does is
> drops its UID to the target user and then does a exec "java xxx", running
> java as the target user
>
> Any other out-of-box options ?
> In resource_management/core/resources/system.py, I noticed that class
> Execute can take a parameter "user" <  user = ResourceArgument() >. Its not
> clear if and how this could be used. In core/shell.py, the logic around
> "user" is commented out with comment " Do not su to the supplied user" ..
>
> Any feedback on approach / pros / cons / potential issues will be
> appreciated !
>
> Thanks,
>
> Manoj
>
>
>

Re: Run each component of application as different user

[Manoj Samel]

Any thoughts ? Feedback ?

On Fri, Apr 8, 2016 at 10:30 AM, Manoj Samel 
wrote:

> Hello,
>
> Environment is slider .80 on Hadoop 2.6 secured cluster
>
> A component is launched for each distinct user of the service (via
> upgrade). E.g. when user A accesses service, do a "upgrade" and create a
> component for user A. When user B comes, create another component for user
> B etc.
>
> At present, all of these components are launched & run as single linux
> user. What are the options to run each component as different user ?
>
> Following are couple of options I can think of, each involving starting as
> root and then setting the uid / gid to the desired user
>
> 1. Launch the java command using "sudo". Then at the start, the Java
> program sets its real uid to the target user (passed as option to program)
> using a small C function used as JNI call. From then on, it runs as that
> effective user for rest of its life. One open research question is - Since
> sudo has to be run by a non-root user, then the sudoer need to be updated
> to allow this without password. Not yet sure what command should the sudoer
> should contain, as this is launched by python class.
>
> 2. Have a C executable that is setUID root. Launch this executable as
> component (with user as one of the parameter). The first thing it does is
> drops its UID to the target user and then does a exec "java xxx", running
> java as the target user
>
> Any other out-of-box options ?
> In resource_management/core/resources/system.py, I noticed that class
> Execute can take a parameter "user" <  user = ResourceArgument() >. Its not
> clear if and how this could be used. In core/shell.py, the logic around
> "user" is commented out with comment " Do not su to the supplied user" ..
>
> Any feedback on approach / pros / cons / potential issues will be
> appreciated !
>
> Thanks,
>
> Manoj
>
>
>

Run each component of application as different user

[Manoj Samel]

Hello,

Environment is slider .80 on Hadoop 2.6 secured cluster

A component is launched for each distinct user of the service (via
upgrade). E.g. when user A accesses service, do a "upgrade" and create a
component for user A. When user B comes, create another component for user
B etc.

At present, all of these components are launched & run as single linux
user. What are the options to run each component as different user ?

Following are couple of options I can think of, each involving starting as
root and then setting the uid / gid to the desired user

1. Launch the java command using "sudo". Then at the start, the Java
program sets its real uid to the target user (passed as option to program)
using a small C function used as JNI call. From then on, it runs as that
effective user for rest of its life. One open research question is - Since
sudo has to be run by a non-root user, then the sudoer need to be updated
to allow this without password. Not yet sure what command should the sudoer
should contain, as this is launched by python class.

2. Have a C executable that is setUID root. Launch this executable as
component (with user as one of the parameter). The first thing it does is
drops its UID to the target user and then does a exec "java xxx", running
java as the target user

Any other out-of-box options ?
In resource_management/core/resources/system.py, I noticed that class
Execute can take a parameter "user" <  user = ResourceArgument() >. Its not
clear if and how this could be used. In core/shell.py, the logic around
"user" is commented out with comment " Do not su to the supplied user" ..

Any feedback on approach / pros / cons / potential issues will be
appreciated !

Thanks,

Manoj