[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[ https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15801942#comment-15801942 ] Allen Wittenauer edited comment on HADOOP-13673 at 1/5/17 5:25 PM: --- -03: * if the su operation isn't expected to return, then callers must do their own exec or exit or whatever. This ends up being a lot simpler than adding a param that will likely be false. * abs MYNAME so that if the command given is a relative path, we can su correctly. e.g., as root calling "hadoop/bin/hdfs namenode" would fail since su would try to call hadoop/bin/hdfs which was no longer the correct path At this point, I think everything is working and this should get reviewed. was (Author: aw): -03: * if the su operation isn't expected to return, then callers must do their own exec or exit or whatever. This ends up being a lot simpler than adding a param that will likely be false. * abs MYNAME so that if the command given is a relative path, we can su correct. e.g., as root calling "hadoop/bin/hdfs namenode" would fail since su would try to call hadoop/bin/hdfs which was no longer the correct path At this point, I think everything is working and this should get reviewed. > Update scripts to be smarter when running with privilege > > > Key: HADOOP-13673 > URL: https://issues.apache.org/jira/browse/HADOOP-13673 > Project: Hadoop Common > Issue Type: Bug > Components: scripts >Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2 >Reporter: Allen Wittenauer >Assignee: Allen Wittenauer > Labels: security > Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch, > HADOOP-13673.02.patch, HADOOP-13673.03.patch > > > As work continues on HADOOP-13397, it's become evident that we need better > hooks to start daemons as specifically configured users. Via the > (command)_(subcommand)_USER environment variables in 3.x, we actually have a > standardized way to do that. This in turn means we can make the sbin scripts > super functional with a bit of updating: > * Consolidate start-dfs.sh and start-secure-dns.sh into one script > * Make start-\*.sh and stop-\*.sh know how to switch users when run as root > * Undeprecate start/stop-all.sh so that it could be used as root for > production purposes and as a single user for non-production users -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[ https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15742849#comment-15742849 ] Allen Wittenauer edited comment on HADOOP-13673 at 12/12/16 7:17 PM: - -02: * minor bug fixes * add unit tests * doc fixes * shellcheck fixes * verified that users can run daemons as root if they set _USER=root (as ill-advised as that is) was (Author: aw): -02: * minor bug fixes * add unit tests * doc fixes * shellcheck fixes > Update scripts to be smarter when running with privilege > > > Key: HADOOP-13673 > URL: https://issues.apache.org/jira/browse/HADOOP-13673 > Project: Hadoop Common > Issue Type: Bug > Components: scripts >Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2 >Reporter: Allen Wittenauer >Assignee: Allen Wittenauer > Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch, > HADOOP-13673.02.patch > > > As work continues on HADOOP-13397, it's become evident that we need better > hooks to start daemons as specifically configured users. Via the > (command)_(subcommand)_USER environment variables in 3.x, we actually have a > standardized way to do that. This in turn means we can make the sbin scripts > super functional with a bit of updating: > * Consolidate start-dfs.sh and start-secure-dns.sh into one script > * Make start-\*.sh and stop-\*.sh know how to switch users when run as root > * Undeprecate start/stop-all.sh so that it could be used as root for > production purposes and as a single user for non-production users -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[
https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15712531#comment-15712531
]
Allen Wittenauer edited comment on HADOOP-13673 at 12/1/16 5:38 PM:
-01:
* some basic docs
* hdfs/yarn/hadoop now support account switching
* various bugs
Some things I've been doing for testing:
hadoop-env.sh:
{code}
HDFS_NAMENODE_USER=hdfs
HDFS_DATANODE_USER=root
HDFS_DATANODE_SECURE_USER=hdfs
YARN_RESOURCEMANAGER_USER=yarn
{code}
{code}
root# yarn --daemon start resourcemanager
yarn$ yarn --daemon start resourcemanager
root# hdfs --daemon start datanode
hdfs$ hdfs --daemon start namenode
root# sbin/start-all.sh
root# sbin/stop-all.sh
hdfs$ start-dfs.sh
root# start-dfs.sh
yarn$ start-yarn.sh
root# start-yarn.sh
{code}
TODO:
* verify that users can run daemons as root if they set _USER=root
was (Author: aw):
-01:
* some basic docs
* hdfs/yarn/hadoop now support account switching
* various bugs
Some things I've been doing for testing:
hadoop-env.sh:
{code}
HDFS_NAMENODE_USER=hdfs
HDFS_DATANODE_USER=root
HDFS_DATANODE_SECURE_USER=hdfs
YARN_RESOURCEMANAGER_USER=yarn
{code}
{code}
root# yarn --daemon start resourcemanager
yarn$ yarn --daemon start resourcemanager
root# hdfs --daemon start datanode
hdfs$ hdfs --daemon start namenode
root# sbin/start-all.sh
root# sbin/stop-all.sh
hdfs$ start-dfs.sh
root# start-dfs.sh
yarn$ start-yarn.sh
root# start-yarn.sh
{code}
> Update scripts to be smarter when running with privilege
>
>
> Key: HADOOP-13673
> URL: https://issues.apache.org/jira/browse/HADOOP-13673
> Project: Hadoop Common
> Issue Type: Bug
> Components: scripts
>Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2
>Reporter: Allen Wittenauer
>Assignee: Allen Wittenauer
> Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch
>
>
> As work continues on HADOOP-13397, it's become evident that we need better
> hooks to start daemons as specifically configured users. Via the
> (command)_(subcommand)_USER environment variables in 3.x, we actually have a
> standardized way to do that. This in turn means we can make the sbin scripts
> super functional with a bit of updating:
> * Consolidate start-dfs.sh and start-secure-dns.sh into one script
> * Make start-\*.sh and stop-\*.sh know how to switch users when run as root
> * Undeprecate start/stop-all.sh so that it could be used as root for
> production purposes and as a single user for non-production users
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (HADOOP-13673) Update scripts to be smarter when running with privilege
[
https://issues.apache.org/jira/browse/HADOOP-13673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15712531#comment-15712531
]
Allen Wittenauer edited comment on HADOOP-13673 at 12/1/16 5:35 PM:
-01:
* some basic docs
* hdfs/yarn/hadoop now support account switching
* various bugs
Some things I've been doing for testing:
hadoop-env.sh:
{code}
HDFS_NAMENODE_USER=hdfs
HDFS_DATANODE_USER=root
HDFS_DATANODE_SECURE_USER=hdfs
YARN_RESOURCEMANAGER_USER=yarn
{code}
{code}
root# yarn --daemon start resourcemanager
yarn$ yarn --daemon start resourcemanager
root# hdfs --daemon start datanode
hdfs$ hdfs --daemon start namenode
root# sbin/start-all.sh
root# sbin/stop-all.sh
hdfs$ start-dfs.sh
root# start-dfs.sh
yarn$ start-yarn.sh
root# start-yarn.sh
{code}
was (Author: aw):
-01:
* some basic docs
* hdfs/yarn/hadoop now support accoutn switching
* various bugs
> Update scripts to be smarter when running with privilege
>
>
> Key: HADOOP-13673
> URL: https://issues.apache.org/jira/browse/HADOOP-13673
> Project: Hadoop Common
> Issue Type: Bug
> Components: scripts
>Affects Versions: 3.0.0-alpha1, 3.0.0-alpha2
>Reporter: Allen Wittenauer
>Assignee: Allen Wittenauer
> Attachments: HADOOP-13673.00.patch, HADOOP-13673.01.patch
>
>
> As work continues on HADOOP-13397, it's become evident that we need better
> hooks to start daemons as specifically configured users. Via the
> (command)_(subcommand)_USER environment variables in 3.x, we actually have a
> standardized way to do that. This in turn means we can make the sbin scripts
> super functional with a bit of updating:
> * Consolidate start-dfs.sh and start-secure-dns.sh into one script
> * Make start-\*.sh and stop-\*.sh know how to switch users when run as root
> * Undeprecate start/stop-all.sh so that it could be used as root for
> production purposes and as a single user for non-production users
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
