[
https://issues.apache.org/jira/browse/YARN-1943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jay vyas reopened YARN-1943:
----------------------------
Reopening, based on the following use case:
1) Alice and Tom trust each other.
2) They run their jobs on the same cluster.
3) Neither would ever knowingly do anything to harm the other (i.e. impersonate
user and then write code in a M/R job to scrape ssh keys from local fs.)
4) But tom is a novice developer, and MIGHT do something funny like
accidentally overwrite files in /user/alice/ in some of his jobs, so SOME
process isolation would be nice to have.
5) And also : alice and tom are using a posix style HCFS where uid is
important in order to do operations like chown.
So in the above scenario, there really is not much need for kerberization: its
a simple and lightweight cluster with trusted users , but there is alot of
value in having some basic process isolation nevertheless...i.e. from linux
containers.
SUGGESTION:
Rather than add an extra parameter, we just can allow a wildcard parameter in
the nonsecure.local-user parameter value :
{noformat}
+
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
+ <value>*</value>
{noformat}
That anyone who is submitting a job, is the user that the LCE will run under.
Essentially, this provides administrators the option of disabling/enabling the
feature added in YARN-1253.
> Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.
> -----------------------------------------------------------------------------
>
> Key: YARN-1943
> URL: https://issues.apache.org/jira/browse/YARN-1943
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Affects Versions: 2.3.0
> Reporter: jay vyas
> Priority: Critical
> Labels: linux
> Fix For: 2.3.0
>
>
> As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser
> replaces the user who submits a job if security is disabled:
> {noformat}
> return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
> {noformat}
> However, the only way to enable security, is to NOT use SIMPLE authentication
> mode:
> {noformat}
> public static boolean isSecurityEnabled() {
> return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
> }
> {noformat}
>
> Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser
> for submission of LinuxExecutorContainer.
> This results in a confusing issue, wherein we submit a job as "sally" and
> then get an exception that user "nobody" is not whitelisted and has UID <
> MAX_ID.
> My proposed solution is that we should be able to leverage
> LinuxContainerExector regardless of hadoop's view of the security settings on
> the cluster, i.e. decouple LinuxContainerExecutor logic from the
> "isSecurityEnabled" return value.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
