Eric Yang created YARN-3252:

             Summary: YARN LinuxContainerExecutor runs as nobody in Simple 
Security mode for all applications
                 Key: YARN-3252
             Project: Hadoop YARN
          Issue Type: Bug
    Affects Versions: 2.5.2, 2.5.1, 2.6.0, 2.4.0, 2.3.0
         Environment: Linux
            Reporter: Eric Yang
            Priority: Critical

When using YARN + Slider + LinuxContainerExecutor, all slider application are 
running as nobody.  This is because the modification in YARN-1253 to restrict 
all containers to run as a single user.  This becomes a exploite to any 
application that runs inside YARN + Slider + LCE.  The original behavior is 
more correct.  The original statement indicated that users can impersonate any 
other users.  This supposed to be only valid for proxy users, who can proxy as 
other users.  It is designed as intended that the service user needs to be 
trusted by the framework to impersonate end users.

This message was sent by Atlassian JIRA

Reply via email to