Hi Kevin,
The check that’s carried out is the following(pseudo-code) -
If(user_id < min_user_id && user_not_in_allowed_system_users) {
return “user banned”;
}
If(user_in_banned_users_list) {
return “user banned”;
}
In your case, you can either bump up the min user id to a higher number and add
the users to the allowed.system.users list or just add the user you want to
remove to the banned.users list.
-Varun
> On 07-Aug-2017, at 7:47 AM, Kevin Buckley
> <kevin.buckley.ecs.vuw.ac...@gmail.com> wrote:
>
> Hi again
>
> early on in my attempts to Kerberise our Hadoop instance, I had seen an
> error message that suggested I needed to add a list of users who could
> run jobs into the last line of Hadoop's
>
> container-executor.cfg
>
> for which the default content is
>
> yarn.nodemanager.linux-container-executor.group=#configured value of
> yarn.nodemanager.linux-container-executor.group
> banned.users=#comma separated list of users who can not run applications
> min.user.id=1000#Prevent other super-users
> allowed.system.users=##comma separated list of system users who CAN
> run applications
>
>
> and after I had dropped the min.user.id to allow for the yarn user in
> our systems to run jobs AND added a list of users higher than that,
> those other users were able to run jobs.
>
> I now came to test out removing a user from the "allowed" list and I
> can't seem to prevent that user from running MapReduce jobs, no
> matter which of the various daemons I stop and start, including
> shutting down and restarting the whole thing.
>
> Should I be reading that
>
> allowed.system.users=
>
> list to be a list of UIDs from BELOW the
>
> min.user.id=
>
> list, rather than an actual "only allow users in the list" to run jobs list ?
>
> Clealry, one can't run jobs if one doesn't have access to directories
> to put data into, so that's a kind of "job control" ACL of itself but I
> was hoping that the underlying HDFS might contain a wider set of
> users than those allowed to run jobs at any given time, in which case,
> altering the ability via the
>
> container-executor.cfg
>
> list seemed a simple way to achieve that.
>
> Any clues/insight welcome,
> Kevin
>
> ---
> Kevin M. Buckley
>
> eScience Consultant
> School of Engineering and Computer Science
> Victoria University of Wellington
> New Zealand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@hadoop.apache.org
> For additional commands, e-mail: user-h...@hadoop.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@hadoop.apache.org
For additional commands, e-mail: user-h...@hadoop.apache.org
