Hi Tomasz! I believe that's true. Ravi
On Tuesday, June 30, 2015 4:56 AM, Tomasz Fruboes <tomasz.frub...@fuw.edu.pl> wrote: Dear Ravi, thanks for answer. I went through the discussion in the ticket you mention and did some experimentation. My understanding is the following - as long as I dont explicitly allow for this using hadoop.proxyuser.username.groups hadoop.proxyuser.username.hosts user processes spawned by yarn on worknodes will always run with the uid of that user. Is that right? Thanks, Tomasz W dniu 29.06.2015 o 21:43, Ravi Prakash pisze: > Hi Tomasz! > > It is tricky to set up, but there are no implications to security if you > configure it correctly. Please read the discussion on [YARN-2424] LCE > should support non-cgroups, non-secure mode - ASF JIRA > <https://issues.apache.org/jira/browse/YARN-2424> > > HTH > Ravi > > > > > [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA > <https://issues.apache.org/jira/browse/YARN-2424> > After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios. > View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424> > > Preview by Yahoo > > > > > > > On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes > <tomasz.frub...@fuw.edu.pl> wrote: > > > Dear Experts, > > I'm running a small YARN cluster configured to use simple security, > LinuxContainerExecutor and > > > yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false > > in order to get correct uid when executing jobs. This is needed to > access files from network exported filesystem. > > I was wondering - does this posses any security risk (since > nonsecure-mode.limit is set to true by default in the simple security > mode)? I.e. is there a known way for a user to get uid of different user > with such configuration? > > Cheers, > Tomasz > > >