Alejandro Abdelnur created YARN-1253:
----------------------------------------
Summary: Changes to LinuxContainerExecutor to use cgroups in
unsecure mode
Key: YARN-1253
URL: https://issues.apache.org/jira/browse/YARN-1253
Project: Hadoop YARN
Issue Type: Bug
Components: nodemanager
Affects Versions: 2.1.0-beta
Reporter: Alejandro Abdelnur
Assignee: Roman Shaposhnik
Priority: Blocker
Fix For: 2.1.1-beta
When using cgroups we require LCE to be configured in the cluster to start
containers.
When LCE starts containers as the user that submitted the job. While this works
correctly in a secure setup, in an un-secure setup this presents a couple
issues:
* LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
* Because users can impersonate other users, any user would have access to any
local file of other users
Particularly, the second issue is not desirable as a user could get access to
ssh keys of other users in the nodes or if there are NFS mounts, get to other
users data outside of the cluster.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
