[ https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13783335#comment-13783335 ]
Hadoop QA commented on YARN-1253: --------------------------------- {color:green}+1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12606170/YARN-1253.patch.txt against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 3 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in hadoop-common-project/hadoop-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager. {color:green}+1 contrib tests{color}. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/2057//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/2057//console This message is automatically generated. > Changes to LinuxContainerExecutor to run containers as a single dedicated > user in non-secure mode > ------------------------------------------------------------------------------------------------- > > Key: YARN-1253 > URL: https://issues.apache.org/jira/browse/YARN-1253 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager > Affects Versions: 2.1.0-beta > Reporter: Alejandro Abdelnur > Assignee: Roman Shaposhnik > Priority: Blocker > Attachments: YARN-1253.patch.txt > > > When using cgroups we require LCE to be configured in the cluster to start > containers. > When LCE starts containers as the user that submitted the job. While this > works correctly in a secure setup, in an un-secure setup this presents a > couple issues: > * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes > * Because users can impersonate other users, any user would have access to > any local file of other users > Particularly, the second issue is not desirable as a user could get access to > ssh keys of other users in the nodes or if there are NFS mounts, get to other > users data outside of the cluster. -- This message was sent by Atlassian JIRA (v6.1#6144)