[
https://issues.apache.org/jira/browse/HADOOP-10505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jay vyas updated HADOOP-10505:
------------------------------
Summary: Multitenant LinuxContainerExecutor is incompatible with Simple
Security mode. (was: LinuxContainerExecutor is incompatible with Simple
Security mode.)
> Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.
> -----------------------------------------------------------------------------
>
> Key: HADOOP-10505
> URL: https://issues.apache.org/jira/browse/HADOOP-10505
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: jay vyas
>
> As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser
> replaces the user who submits a job if security is disabled:
> {noformat}
> return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
> {noformat}
> However, the only way to enable security, is to NOT use SIMPLE authentication
> mode:
> {noformat}
> public static boolean isSecurityEnabled() {
> return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
> }
> {noformat}
>
> Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser
> for submission of LinuxExecutorContainer.
> This results in a confusing issue, wherein we submit a job as "sally" and
> then get an exception that user "nobody" is not whitelisted and has UID <
> MAX_ID.
> My proposed solution is that we should be able to leverage
> LinuxContainerExector regardless of hadoop's view of the security settings on
> the cluster, i.e. decouple LinuxContainerExecutor logic from the
> "isSecurityEnabled" return value.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
