[ https://issues.apache.org/jira/browse/YARN-1943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13969821#comment-13969821 ]
Alejandro Abdelnur commented on YARN-1943: ------------------------------------------ O the yarn-site.xml of the NMs: {code} <property> <description>The UNIX user that containers will run as when Linux-container-executor is used in nonsecure mode (a use case for this is using cgroups).</description> <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name> <value>nobody</value> </property> {code} > Multitenant LinuxContainerExecutor is incompatible with Simple Security mode. > ----------------------------------------------------------------------------- > > Key: YARN-1943 > URL: https://issues.apache.org/jira/browse/YARN-1943 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager > Affects Versions: 2.3.0 > Reporter: jay vyas > Priority: Critical > Labels: linux > Fix For: 2.3.0 > > > As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser > replaces the user who submits a job if security is disabled: > {noformat} > return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser; > {noformat} > However, the only way to enable security, is to NOT use SIMPLE authentication > mode: > {noformat} > public static boolean isSecurityEnabled() { > return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE); > } > {noformat} > > Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser > for submission of LinuxExecutorContainer. > This results in a confusing issue, wherein we submit a job as "sally" and > then get an exception that user "nobody" is not whitelisted and has UID < > MAX_ID. > My proposed solution is that we should be able to leverage > LinuxContainerExector regardless of hadoop's view of the security settings on > the cluster, i.e. decouple LinuxContainerExecutor logic from the > "isSecurityEnabled" return value. -- This message was sent by Atlassian JIRA (v6.2#6252)