[
https://issues.apache.org/jira/browse/YARN-4579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15096900#comment-15096900
]
Ray Chiang commented on YARN-4579:
----------------------------------
Sorry [~vinodkv], I didn't realize that replying within the JIRA may not send a
notification. I've re-quoted my earlier comments below:
bq. I don't have all the specifics, but I have one request where they're using
a third-party tool to pull data from the container logs. The tool can't run as
user 'yarn' and the hardcoded directory permissions of 710 is preventing this
tool/flow from working. I do agree it's a bit of a weird corner case, since I'd
assume this would only apply to customers that aren't as concerned about
security (at least with respect to logs).
bq. As for design, it looks like each subclass of ContainerExecutor has its own
implementation (or inherited) of startLocalizer(). Are you thinking of
generalizing the directory location/permissions/other requirements into
LocalizerStartContext or did you have something else in mind?
bq. I would think that since the container log directory is the only one
generated by YARN, so there could be useful information in there. The other
directories (file cache, app cache, user directory) would be files the user
could already have access to without even launching a job, so I would expect
that permissions there would be less likely to need loosening.
bq. One follow up thought, based on Robert's feedback. Does it make sense to
make it a DefaultContainerExecutor property only? For security reasons, it
might make sense to give each ContainerExecutor subclass it's own property for
container log directory permissions. If so, I can do this JIRA for
DefaultContainerExecutor and do a follow up JIRA to refactor ContainerExecutor
and it's subclasses for the other properties. I'd like a little more time to
think on that.
> Allow container directory permissions to be configurable
> --------------------------------------------------------
>
> Key: YARN-4579
> URL: https://issues.apache.org/jira/browse/YARN-4579
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 2.8.0
> Reporter: Ray Chiang
> Assignee: Ray Chiang
> Labels: supportability
> Attachments: YARN-4579.001.patch, YARN-4579.002.patch,
> YARN-4579.003.patch, YARN-4579.004.patch
>
>
> By default, container directory permissions are hardcoded to this member in
> DefaultContainerExecutor:
> static final short LOGDIR_PERM = (short)0710;
> There are some cases where less restrictive permissions are desired. Make
> this configurable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
