[
https://issues.apache.org/jira/browse/YARN-1943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13969746#comment-13969746
]
Alejandro Abdelnur commented on YARN-1943:
------------------------------------------
[~jayunit100], please refer to YARN-1253 for details on why is this way. IMO
this is not a bug.
> Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.
> -----------------------------------------------------------------------------
>
> Key: YARN-1943
> URL: https://issues.apache.org/jira/browse/YARN-1943
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Affects Versions: 2.3.0
> Reporter: jay vyas
> Priority: Critical
> Labels: linux
> Fix For: 2.3.0
>
>
> As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser
> replaces the user who submits a job if security is disabled:
> {noformat}
> return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
> {noformat}
> However, the only way to enable security, is to NOT use SIMPLE authentication
> mode:
> {noformat}
> public static boolean isSecurityEnabled() {
> return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
> }
> {noformat}
>
> Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser
> for submission of LinuxExecutorContainer.
> This results in a confusing issue, wherein we submit a job as "sally" and
> then get an exception that user "nobody" is not whitelisted and has UID <
> MAX_ID.
> My proposed solution is that we should be able to leverage
> LinuxContainerExector regardless of hadoop's view of the security settings on
> the cluster, i.e. decouple LinuxContainerExecutor logic from the
> "isSecurityEnabled" return value.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
