[
https://issues.apache.org/jira/browse/YARN-1943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jay vyas resolved YARN-1943.
----------------------------
Resolution: Not a Problem
CLOSING this bug, with mixed feelings :) ...
In any case *THANKS* alot for your help on this. Pointing out that previous
JIRA was very helpful. I guess we can close this JIRA now. Hopefully some
discussion on the mailing list will help me to consider some other options!
> Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.
> -----------------------------------------------------------------------------
>
> Key: YARN-1943
> URL: https://issues.apache.org/jira/browse/YARN-1943
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Affects Versions: 2.3.0
> Reporter: jay vyas
> Priority: Critical
> Labels: linux
> Fix For: 2.3.0
>
>
> As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser
> replaces the user who submits a job if security is disabled:
> {noformat}
> return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
> {noformat}
> However, the only way to enable security, is to NOT use SIMPLE authentication
> mode:
> {noformat}
> public static boolean isSecurityEnabled() {
> return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
> }
> {noformat}
>
> Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser
> for submission of LinuxExecutorContainer.
> This results in a confusing issue, wherein we submit a job as "sally" and
> then get an exception that user "nobody" is not whitelisted and has UID <
> MAX_ID.
> My proposed solution is that we should be able to leverage
> LinuxContainerExector regardless of hadoop's view of the security settings on
> the cluster, i.e. decouple LinuxContainerExecutor logic from the
> "isSecurityEnabled" return value.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
