[jira] [Commented] (YARN-9442) container working directory has group read permissions

Fri, 09 Aug 2019 15:08:18 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16904218#comment-16904218
 ] 

Jim Brennan commented on YARN-9442:
-----------------------------------

[~eyang], [~ebadger] thanks for the discussion.  I have tested on a test 
cluster with 0700 for the container working directory and that works just fine 
for running my test jobs.

However, I did some poking around in the source base and found one case that I 
think will break if we remove execute permissions - 
ContainerImpl.ResourceLocalizedWhileRunningTransition() is attempting to check 
whether a symbolic link exists in the working directory (for a localized 
resource). I don't think that exists() check will work without execute 
permissions on the container working directory. To actually create the link, we 
will need to use a privileged operation, so I don't think that part would be 
affected.

Given this case (and the potential for others like it), and the fact that 
DefaultContainerExecutor is using 0710, I think we should stick with 0710.

> container working directory has group read permissions
> ------------------------------------------------------
>
>                 Key: YARN-9442
>                 URL: https://issues.apache.org/jira/browse/YARN-9442
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.2.2
>            Reporter: Jim Brennan
>            Assignee: Jim Brennan
>            Priority: Minor
>         Attachments: YARN-9442.001.patch, YARN-9442.002.patch, 
> YARN-9442.003.patch
>
>
> Container working directories are currently created with permissions 0750, 
> owned by the user and with the group set to the node manager group.
> Is there any reason why these directories need group read permissions?
> I have been testing with group read permissions removed and so far I haven't 
> encountered any problems.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to