[ https://issues.apache.org/jira/browse/YARN-1943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur moved HADOOP-10505 to YARN-1943: --------------------------------------------------- Component/s: (was: security) nodemanager Fix Version/s: (was: 2.3.0) 2.3.0 Affects Version/s: (was: 2.3.0) 2.3.0 Key: YARN-1943 (was: HADOOP-10505) Project: Hadoop YARN (was: Hadoop Common) > Multitenant LinuxContainerExecutor is incompatible with Simple Security mode. > ----------------------------------------------------------------------------- > > Key: YARN-1943 > URL: https://issues.apache.org/jira/browse/YARN-1943 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager > Affects Versions: 2.3.0 > Reporter: jay vyas > Priority: Critical > Labels: linux > Fix For: 2.3.0 > > > As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser > replaces the user who submits a job if security is disabled: > {noformat} > return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser; > {noformat} > However, the only way to enable security, is to NOT use SIMPLE authentication > mode: > {noformat} > public static boolean isSecurityEnabled() { > return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE); > } > {noformat} > > Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser > for submission of LinuxExecutorContainer. > This results in a confusing issue, wherein we submit a job as "sally" and > then get an exception that user "nobody" is not whitelisted and has UID < > MAX_ID. > My proposed solution is that we should be able to leverage > LinuxContainerExector regardless of hadoop's view of the security settings on > the cluster, i.e. decouple LinuxContainerExecutor logic from the > "isSecurityEnabled" return value. -- This message was sent by Atlassian JIRA (v6.2#6252)