[
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244948#comment-16244948
]
Eric Yang commented on YARN-7430:
---------------------------------
[~ebadger] In a unix box, when a user run sudo commands, all logs are written
to syslog or /var/log/messages. They are owned by root. There are Enterprise
log aggregation tools that can search and filter out segment of syslog and
/var/log/messages belong to certain user by using terminal id, and audit id.
The log viewer identify user base on terminal id, and audit id to determine if
user have rights to see the log. Hadoop doesn't have to be different from
existing design.
The information generated by root container should belong to root in the event
user is revoked of sudo rights. He will not have access to the logs later.
Docker console output is already appended to container log if we don't detach
container, then all logs goes into container log. Therefore, we have logs that
is compiled with application id and container id. We have information
available to determine if the user is allowed to see the logs.
What log aggregation are we doing in addition to capture the docker console
output?
If the application is writing to file system directly without tracking, there
will be no accurate way to identify the origin of the log. However, this is
not a special case. This problem exist today for any shared service user, and
it is up to the developer to generate logs that either have user name/host name
in the log filename to support log tracking. I am not clear on how removing
{{\-\-user}} flag would result in log aggregation not working. Could you
clarify?
[[email protected]] . If passing --user=0.0 with --privileged flag can keep
log aggregation to work. I have no objection with this. Is there a design of
how log aggregation works for Yarn Services which is different from classic
yarn containers?
> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
> Key: YARN-7430
> URL: https://issues.apache.org/jira/browse/YARN-7430
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security, yarn
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to
> enforce user and group for the running user. In YARN-6623, this translated
> to --user=test --group-add=group1. The code no longer enforce group
> correctly for launched process.
> In addition, the implementation in YARN-6623 requires the user and group
> information to exist in container to translate username and group to uid/gid.
> For users on LDAP, there is no good way to populate container with user and
> group information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
