[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[ https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15801942#comment-15801942 ] Allen Wittenauer edited comment on HADOOP-13673 at 1/5/17 5:25 PM: --- -03: * if the su operation isn't expected to return, then callers must do their own exec or exit or whatever. This ends up being a lot simpler than adding a param that will likely be false. * abs MYNAME so that if the command given is a relative path, we can su correctly. e.g., as root calling "hadoop/bin/hdfs namenode" would fail since su would try to call hadoop/bin/hdfs which was no longer the correct path At this point, I think everything is working and this should get reviewed. was (Author: aw): -03: * if the su operation isn't expected to return, then callers must do their own exec or exit or whatever. This ends up being a lot simpler than adding a param that will likely be false. * abs MYNAME so that if the command given is a relative path, we can su correct. e.g., as root calling "hadoop/bin/hdfs namenode" would fail since su would try to call hadoop/bin/hdfs which was no longer the correct path At this point, I think everything is working and this should get reviewed. > Update scripts to be smarter when running with privilege > > > Key: HADOOP-13673 > URL: https://issues.apache.org/jira/browse/HADOOP-13673 > Project: Hadoop Common > Issue Type: Bug > Components: scripts >Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2 >Reporter: Allen Wittenauer >Assignee: Allen Wittenauer > Labels: security > Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch, > HADOOP-13673.02.patch, HADOOP-13673.03.patch > > > As work continues on HADOOP-13397, it's become evident that we need better > hooks to start daemons as specifically configured users. Via the > (command)_(subcommand)_USER environment variables in 3.x, we actually have a > standardized way to do that. This in turn means we can make the sbin scripts > super functional with a bit of updating: > * Consolidate start-dfs.sh and start-secure-dns.sh into one script > * Make start-\*.sh and stop-\*.sh know how to switch users when run as root > * Undeprecate start/stop-all.sh so that it could be used as root for > production purposes and as a single user for non-production users -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[ https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15742849#comment-15742849 ] Allen Wittenauer edited comment on HADOOP-13673 at 12/12/16 7:17 PM: - -02: * minor bug fixes * add unit tests * doc fixes * shellcheck fixes * verified that users can run daemons as root if they set _USER=root (as ill-advised as that is) was (Author: aw): -02: * minor bug fixes * add unit tests * doc fixes * shellcheck fixes > Update scripts to be smarter when running with privilege > > > Key: HADOOP-13673 > URL: https://issues.apache.org/jira/browse/HADOOP-13673 > Project: Hadoop Common > Issue Type: Bug > Components: scripts >Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2 >Reporter: Allen Wittenauer >Assignee: Allen Wittenauer > Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch, > HADOOP-13673.02.patch > > > As work continues on HADOOP-13397, it's become evident that we need better > hooks to start daemons as specifically configured users. Via the > (command)_(subcommand)_USER environment variables in 3.x, we actually have a > standardized way to do that. This in turn means we can make the sbin scripts > super functional with a bit of updating: > * Consolidate start-dfs.sh and start-secure-dns.sh into one script > * Make start-\*.sh and stop-\*.sh know how to switch users when run as root > * Undeprecate start/stop-all.sh so that it could be used as root for > production purposes and as a single user for non-production users -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[ https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15712531#comment-15712531 ] Allen Wittenauer edited comment on HADOOP-13673 at 12/1/16 5:38 PM: -01: * some basic docs * hdfs/yarn/hadoop now support account switching * various bugs Some things I've been doing for testing: hadoop-env.sh: {code} HDFS_NAMENODE_USER=hdfs HDFS_DATANODE_USER=root HDFS_DATANODE_SECURE_USER=hdfs YARN_RESOURCEMANAGER_USER=yarn {code} {code} root# yarn --daemon start resourcemanager yarn$ yarn --daemon start resourcemanager root# hdfs --daemon start datanode hdfs$ hdfs --daemon start namenode root# sbin/start-all.sh root# sbin/stop-all.sh hdfs$ start-dfs.sh root# start-dfs.sh yarn$ start-yarn.sh root# start-yarn.sh {code} TODO: * verify that users can run daemons as root if they set _USER=root was (Author: aw): -01: * some basic docs * hdfs/yarn/hadoop now support account switching * various bugs Some things I've been doing for testing: hadoop-env.sh: {code} HDFS_NAMENODE_USER=hdfs HDFS_DATANODE_USER=root HDFS_DATANODE_SECURE_USER=hdfs YARN_RESOURCEMANAGER_USER=yarn {code} {code} root# yarn --daemon start resourcemanager yarn$ yarn --daemon start resourcemanager root# hdfs --daemon start datanode hdfs$ hdfs --daemon start namenode root# sbin/start-all.sh root# sbin/stop-all.sh hdfs$ start-dfs.sh root# start-dfs.sh yarn$ start-yarn.sh root# start-yarn.sh {code} > Update scripts to be smarter when running with privilege > > > Key: HADOOP-13673 > URL: https://issues.apache.org/jira/browse/HADOOP-13673 > Project: Hadoop Common > Issue Type: Bug > Components: scripts >Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2 >Reporter: Allen Wittenauer >Assignee: Allen Wittenauer > Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch > > > As work continues on HADOOP-13397, it's become evident that we need better > hooks to start daemons as specifically configured users. Via the > (command)_(subcommand)_USER environment variables in 3.x, we actually have a > standardized way to do that. This in turn means we can make the sbin scripts > super functional with a bit of updating: > * Consolidate start-dfs.sh and start-secure-dns.sh into one script > * Make start-\*.sh and stop-\*.sh know how to switch users when run as root > * Undeprecate start/stop-all.sh so that it could be used as root for > production purposes and as a single user for non-production users -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[ https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15712531#comment-15712531 ] Allen Wittenauer edited comment on HADOOP-13673 at 12/1/16 5:35 PM: -01: * some basic docs * hdfs/yarn/hadoop now support account switching * various bugs Some things I've been doing for testing: hadoop-env.sh: {code} HDFS_NAMENODE_USER=hdfs HDFS_DATANODE_USER=root HDFS_DATANODE_SECURE_USER=hdfs YARN_RESOURCEMANAGER_USER=yarn {code} {code} root# yarn --daemon start resourcemanager yarn$ yarn --daemon start resourcemanager root# hdfs --daemon start datanode hdfs$ hdfs --daemon start namenode root# sbin/start-all.sh root# sbin/stop-all.sh hdfs$ start-dfs.sh root# start-dfs.sh yarn$ start-yarn.sh root# start-yarn.sh {code} was (Author: aw): -01: * some basic docs * hdfs/yarn/hadoop now support accoutn switching * various bugs > Update scripts to be smarter when running with privilege > > > Key: HADOOP-13673 > URL: https://issues.apache.org/jira/browse/HADOOP-13673 > Project: Hadoop Common > Issue Type: Bug > Components: scripts >Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2 >Reporter: Allen Wittenauer >Assignee: Allen Wittenauer > Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch > > > As work continues on HADOOP-13397, it's become evident that we need better > hooks to start daemons as specifically configured users. Via the > (command)_(subcommand)_USER environment variables in 3.x, we actually have a > standardized way to do that. This in turn means we can make the sbin scripts > super functional with a bit of updating: > * Consolidate start-dfs.sh and start-secure-dns.sh into one script > * Make start-\*.sh and stop-\*.sh know how to switch users when run as root > * Undeprecate start/stop-all.sh so that it could be used as root for > production purposes and as a single user for non-production users -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org