[
https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13783161#comment-13783161
]
Alejandro Abdelnur commented on YARN-1253:
------------------------------------------
If we say that today people should use LCE for cgroups in unsecure mode, then
this JIRA is a bug. If we say that LCE is not supported in unsecure mode, then
this is an improvement to enable such. IMO, this JIRA is a bug, but I'm OK
either way.
Correct, in unsecure mode, any user can delete all data in HDFS. If we look at
what any user can do in the node local filesystem:
* Using DCE, it can access/modify all data owned by yarn user.
* Using LCE, it can access/modify all data owned by any non-system user.
The second scenario is particularly dangerous because any user could get access
to private ssh keys of other users available in the nodes (this would typically
be a cluster admin user) or in the case of automatic NFS mounts available to
cluster (which I've seen in multiple setups) any user could gain access to data
of other users outside of the cluster.
This JIRA is proposing adding LCE to run container processes a fixed local
run-as-user, it could be 'nobody' by default.
By running the container processes with the run-as-user being 'nobody' we
restricting local filesystem access to the permissions of the 'nobody' user in
unsecure mode.
This run-as-user should be configurable for audit purposes as in some setups
admins may want to track with a special user all container processes.
> Changes to LinuxContainerExecutor to use cgroups in unsecure mode
> -----------------------------------------------------------------
>
> Key: YARN-1253
> URL: https://issues.apache.org/jira/browse/YARN-1253
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: nodemanager
> Affects Versions: 2.1.0-beta
> Reporter: Alejandro Abdelnur
> Assignee: Roman Shaposhnik
> Priority: Blocker
>
> When using cgroups we require LCE to be configured in the cluster to start
> containers.
> When LCE starts containers as the user that submitted the job. While this
> works correctly in a secure setup, in an un-secure setup this presents a
> couple issues:
> * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
> * Because users can impersonate other users, any user would have access to
> any local file of other users
> Particularly, the second issue is not desirable as a user could get access to
> ssh keys of other users in the nodes or if there are NFS mounts, get to other
> users data outside of the cluster.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
