[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Feng Yuan updated YARN-4336: Description: Hi folks after performing some debug for our Unix Engineering and Active Directory teams it was discovered that on YARN Container Initialization a call via Hadoop Common AccessControlList.java: for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } Unfortunately with the security call to check access on "appattempt_X_X_X" will always return false but will make unnecessary calls to NameSwitch service on linux which will call things like SSSD/Quest VASD which will then initiate LDAP calls looking for non existent userid's causing excessive load on LDAP. For now our tactical work around is as follows: Example of VASD Debug log showing the lookups for one task attempt 32 of them: {code /** * Checks if a user represented by the provided {@link UserGroupInformation} * is a member of the Access Control List * @param ugi UserGroupInformation to check if contained in the ACL * @return true if ugi is member of the list */ public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; } else { String patternString = "^appattempt_\\d+_\\d+_\\d+$"; Pattern pattern = Pattern.compile(patternString); Matcher matcher = pattern.matcher(ugi.getShortUserName()); boolean matches = matcher.matches(); if (matches) { LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR GROUPS!!");; return false; } for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } } return false; } public boolean isUserAllowed(UserGroupInformation ugi) { return isUserInList(ugi); }} One task: Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: libv
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Feng Yuan updated YARN-4336: Description: Hi folks after performing some debug for our Unix Engineering and Active Directory teams it was discovered that on YARN Container Initialization a call via Hadoop Common AccessControlList.java: for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } Unfortunately with the security call to check access on "appattempt_X_X_X" will always return false but will make unnecessary calls to NameSwitch service on linux which will call things like SSSD/Quest VASD which will then initiate LDAP calls looking for non existent userid's causing excessive load on LDAP. For now our tactical work around is as follows: Example of VASD Debug log showing the lookups for one task attempt 32 of them: /** * Checks if a user represented by the provided {@link UserGroupInformation} * is a member of the Access Control List * @param ugi UserGroupInformation to check if contained in the ACL * @return true if ugi is member of the list */ public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; } else { String patternString = "^appattempt_\\d+_\\d+_\\d+$"; Pattern pattern = Pattern.compile(patternString); Matcher matcher = pattern.matcher(ugi.getShortUserName()); boolean matches = matcher.matches(); if (matches) { LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR GROUPS!!");; return false; } for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } } return false; } public boolean isUserAllowed(UserGroupInformation ugi) { return isUserInList(ugi); } One task: Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: libvas_att
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Feng Yuan updated YARN-4336: Description: Hi folks after performing some debug for our Unix Engineering and Active Directory teams it was discovered that on YARN Container Initialization a call via Hadoop Common AccessControlList.java: for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } Unfortunately with the security call to check access on "appattempt_X_X_X" will always return false but will make unnecessary calls to NameSwitch service on linux which will call things like SSSD/Quest VASD which will then initiate LDAP calls looking for non existent userid's causing excessive load on LDAP. For now our tactical work around is as follows: Example of VASD Debug log showing the lookups for one task attempt 32 of them: {code} /** * Checks if a user represented by the provided {@link UserGroupInformation} * is a member of the Access Control List * @param ugi UserGroupInformation to check if contained in the ACL * @return true if ugi is member of the list */ public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; } else { String patternString = "^appattempt_\\d+_\\d+_\\d+$"; Pattern pattern = Pattern.compile(patternString); Matcher matcher = pattern.matcher(ugi.getShortUserName()); boolean matches = matcher.matches(); if (matches) { LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR GROUPS!!");; return false; } for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } } return false; } public boolean isUserAllowed(UserGroupInformation ugi) { return isUserInList(ugi); }{code} One task: Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Feng Yuan updated YARN-4336: Description: Hi folks after performing some debug for our Unix Engineering and Active Directory teams it was discovered that on YARN Container Initialization a call via Hadoop Common AccessControlList.java: for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } Unfortunately with the security call to check access on "appattempt_X_X_X" will always return false but will make unnecessary calls to NameSwitch service on linux which will call things like SSSD/Quest VASD which will then initiate LDAP calls looking for non existent userid's causing excessive load on LDAP. For now our tactical work around is as follows: Example of VASD Debug log showing the lookups for one task attempt 32 of them: { /** * Checks if a user represented by the provided {@link UserGroupInformation} * is a member of the Access Control List * @param ugi UserGroupInformation to check if contained in the ACL * @return true if ugi is member of the list */ public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; } else { String patternString = "^appattempt_\\d+_\\d+_\\d+$"; Pattern pattern = Pattern.compile(patternString); Matcher matcher = pattern.matcher(ugi.getShortUserName()); boolean matches = matcher.matches(); if (matches) { LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR GROUPS!!");; return false; } for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } } return false; } public boolean isUserAllowed(UserGroupInformation ugi) { return isUserInList(ugi); }} One task: Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: libvas_a
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Feng Yuan updated YARN-4336: Description: Hi folks after performing some debug for our Unix Engineering and Active Directory teams it was discovered that on YARN Container Initialization a call via Hadoop Common AccessControlList.java: for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } Unfortunately with the security call to check access on "appattempt_X_X_X" will always return false but will make unnecessary calls to NameSwitch service on linux which will call things like SSSD/Quest VASD which will then initiate LDAP calls looking for non existent userid's causing excessive load on LDAP. For now our tactical work around is as follows: Example of VASD Debug log showing the lookups for one task attempt 32 of them: {code} /** * Checks if a user represented by the provided {@link UserGroupInformation} * is a member of the Access Control List * @param ugi UserGroupInformation to check if contained in the ACL * @return true if ugi is member of the list */ public final boolean isUserInList(UserGroupInformation ugi) { if (allAllowed || users.contains(ugi.getShortUserName())) { return true; } else { String patternString = "^appattempt_\\d+_\\d+_\\d+$"; Pattern pattern = Pattern.compile(patternString); Matcher matcher = pattern.matcher(ugi.getShortUserName()); boolean matches = matcher.matches(); if (matches) { LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR GROUPS!!");; return false; } for(String group: ugi.getGroupNames()) { if (groups.contains(group)) { return true; } } } return false; } public boolean isUserAllowed(UserGroupInformation ugi) { return isUserInList(ugi); }{code} One task: Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching with filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, base=<>, scope= Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) Oct 30 22:57:18 xhadoopm5d vasd[20741]
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Senia updated YARN-4336: - Affects Version/s: (was: 2.4.1) (was: 2.4.0) > YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP > > > Key: YARN-4336 > URL: https://issues.apache.org/jira/browse/YARN-4336 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 2.6.0, 2.7.0, 2.6.1, 2.7.1 > Environment: NSS w/ SSSD or Dell/Quest - VASD >Reporter: Greg Senia >Assignee: Greg Senia > Attachments: tactical_defense.patch > > > Hi folks after performing some debug for our Unix Engineering and Active > Directory teams it was discovered that on YARN Container Initialization a > call via Hadoop Common AccessControlList.java: > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > Unfortunately with the security call to check access on > "appattempt_X_X_X" will always return false but will make > unnecessary calls to NameSwitch service on linux which will call things like > SSSD/Quest VASD which will then initiate LDAP calls looking for non existent > userid's causing excessive load on LDAP. > For now our tactical work around is as follows: > /** >* Checks if a user represented by the provided {@link UserGroupInformation} >* is a member of the Access Control List >* @param ugi UserGroupInformation to check if contained in the ACL >* @return true if ugi is member of the list >*/ > public final boolean isUserInList(UserGroupInformation ugi) { > if (allAllowed || users.contains(ugi.getShortUserName())) { > return true; > } else { > String patternString = "^appattempt_\\d+_\\d+_\\d+$"; > Pattern pattern = Pattern.compile(patternString); > Matcher matcher = pattern.matcher(ugi.getShortUserName()); > boolean matches = matcher.matches(); > if (matches) { > LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR > GROUPS!!");; > return false; > } > > > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > } > return false; > } > public boolean isUserAllowed(UserGroupInformation ugi) { > return isUserInList(ugi); > } > Example of VASD Debug log showing the lookups for one task attempt 32 of them: > One task: > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Senia updated YARN-4336: - Attachment: (was: YARN-4336-tactical.txt) > YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP > > > Key: YARN-4336 > URL: https://issues.apache.org/jira/browse/YARN-4336 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 2.4.0, 2.4.1, 2.6.0, 2.7.0, 2.6.1, 2.7.1 > Environment: NSS w/ SSSD or Dell/Quest - VASD >Reporter: Greg Senia >Assignee: Greg Senia > Attachments: tactical_defense.patch > > > Hi folks after performing some debug for our Unix Engineering and Active > Directory teams it was discovered that on YARN Container Initialization a > call via Hadoop Common AccessControlList.java: > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > Unfortunately with the security call to check access on > "appattempt_X_X_X" will always return false but will make > unnecessary calls to NameSwitch service on linux which will call things like > SSSD/Quest VASD which will then initiate LDAP calls looking for non existent > userid's causing excessive load on LDAP. > For now our tactical work around is as follows: > /** >* Checks if a user represented by the provided {@link UserGroupInformation} >* is a member of the Access Control List >* @param ugi UserGroupInformation to check if contained in the ACL >* @return true if ugi is member of the list >*/ > public final boolean isUserInList(UserGroupInformation ugi) { > if (allAllowed || users.contains(ugi.getShortUserName())) { > return true; > } else { > String patternString = "^appattempt_\\d+_\\d+_\\d+$"; > Pattern pattern = Pattern.compile(patternString); > Matcher matcher = pattern.matcher(ugi.getShortUserName()); > boolean matches = matcher.matches(); > if (matches) { > LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR > GROUPS!!");; > return false; > } > > > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > } > return false; > } > public boolean isUserAllowed(UserGroupInformation ugi) { > return isUserInList(ugi); > } > Example of VASD Debug log showing the lookups for one task attempt 32 of them: > One task: > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccou
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Senia updated YARN-4336: - Attachment: tactical_defense.patch > YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP > > > Key: YARN-4336 > URL: https://issues.apache.org/jira/browse/YARN-4336 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 2.4.0, 2.4.1, 2.6.0, 2.7.0, 2.6.1, 2.7.1 > Environment: NSS w/ SSSD or Dell/Quest - VASD >Reporter: Greg Senia >Assignee: Greg Senia > Attachments: YARN-4336-tactical.txt, tactical_defense.patch > > > Hi folks after performing some debug for our Unix Engineering and Active > Directory teams it was discovered that on YARN Container Initialization a > call via Hadoop Common AccessControlList.java: > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > Unfortunately with the security call to check access on > "appattempt_X_X_X" will always return false but will make > unnecessary calls to NameSwitch service on linux which will call things like > SSSD/Quest VASD which will then initiate LDAP calls looking for non existent > userid's causing excessive load on LDAP. > For now our tactical work around is as follows: > /** >* Checks if a user represented by the provided {@link UserGroupInformation} >* is a member of the Access Control List >* @param ugi UserGroupInformation to check if contained in the ACL >* @return true if ugi is member of the list >*/ > public final boolean isUserInList(UserGroupInformation ugi) { > if (allAllowed || users.contains(ugi.getShortUserName())) { > return true; > } else { > String patternString = "^appattempt_\\d+_\\d+_\\d+$"; > Pattern pattern = Pattern.compile(patternString); > Matcher matcher = pattern.matcher(ugi.getShortUserName()); > boolean matches = matcher.matches(); > if (matches) { > LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR > GROUPS!!");; > return false; > } > > > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > } > return false; > } > public boolean isUserAllowed(UserGroupInformation ugi) { > return isUserInList(ugi); > } > Example of VASD Debug log showing the lookups for one task attempt 32 of them: > One task: > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Per
[jira] [Updated] (YARN-4336) YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP
[ https://issues.apache.org/jira/browse/YARN-4336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Senia updated YARN-4336: - Attachment: YARN-4336-tactical.txt tactical fix > YARN NodeManager - Container Initialization - Excessive load on NSS/LDAP > > > Key: YARN-4336 > URL: https://issues.apache.org/jira/browse/YARN-4336 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 2.4.0, 2.4.1, 2.6.0, 2.7.0, 2.6.1, 2.7.1 > Environment: NSS w/ SSSD or Dell/Quest - VASD >Reporter: Greg Senia >Assignee: Greg Senia > Attachments: YARN-4336-tactical.txt > > > Hi folks after performing some debug for our Unix Engineering and Active > Directory teams it was discovered that on YARN Container Initialization a > call via Hadoop Common AccessControlList.java: > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > Unfortunately with the security call to check access on > "appattempt_X_X_X" will always return false but will make > unnecessary calls to NameSwitch service on linux which will call things like > SSSD/Quest VASD which will then initiate LDAP calls looking for non existent > userid's causing excessive load on LDAP. > For now our tactical work around is as follows: > /** >* Checks if a user represented by the provided {@link UserGroupInformation} >* is a member of the Access Control List >* @param ugi UserGroupInformation to check if contained in the ACL >* @return true if ugi is member of the list >*/ > public final boolean isUserInList(UserGroupInformation ugi) { > if (allAllowed || users.contains(ugi.getShortUserName())) { > return true; > } else { > String patternString = "^appattempt_\\d+_\\d+_\\d+$"; > Pattern pattern = Pattern.compile(patternString); > Matcher matcher = pattern.matcher(ugi.getShortUserName()); > boolean matches = matcher.matches(); > if (matches) { > LOG.debug("Bailing !! AppAttempt Matches DONOT call UGI FOR > GROUPS!!");; > return false; > } > > > for(String group: ugi.getGroupNames()) { > if (groups.contains(group)) { > return true; > } > } > } > return false; > } > public boolean isUserAllowed(UserGroupInformation ugi) { > return isUserInList(ugi); > } > Example of VASD Debug log showing the lookups for one task attempt 32 of them: > One task: > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:55:43 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:15 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01))>, > base=<>, scope= > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: _vasug_user_namesearch_gc: searching > GC for host service domain EXNSD.EXA.EXAMPLE.COM with filter > (&(objectCategory=Person)(samaccountname=appattempt_1446145939879_0022_01)) > Oct 30 22:56:45 xhadoopm5d vasd[20741]: libvas_attrs_find_uri: Searching > with > filter=<(&(objectCategory=Person)(samac