[ https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13787214#comment-13787214 ]
Hudson commented on YARN-1253: ------------------------------ SUCCESS: Integrated in Hadoop-Hdfs-trunk #1543 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1543/]) YARN-1253. Changes to LinuxContainerExecutor to run containers as a single dedicated user in non-secure mode. (rvs via tucu) (tucu: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1529325) * /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/site/apt/ClusterSetup.apt.vm * /hadoop/common/trunk/hadoop-yarn-project/CHANGES.txt * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java * /hadoop/common/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutorWithMocks.java > Changes to LinuxContainerExecutor to run containers as a single dedicated > user in non-secure mode > ------------------------------------------------------------------------------------------------- > > Key: YARN-1253 > URL: https://issues.apache.org/jira/browse/YARN-1253 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager > Affects Versions: 2.1.0-beta > Reporter: Alejandro Abdelnur > Assignee: Roman Shaposhnik > Priority: Blocker > Fix For: 2.3.0 > > Attachments: YARN-1253.patch.txt > > > When using cgroups we require LCE to be configured in the cluster to start > containers. > When LCE starts containers as the user that submitted the job. While this > works correctly in a secure setup, in an un-secure setup this presents a > couple issues: > * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes > * Because users can impersonate other users, any user would have access to > any local file of other users > Particularly, the second issue is not desirable as a user could get access to > ssh keys of other users in the nodes or if there are NFS mounts, get to other > users data outside of the cluster. -- This message was sent by Atlassian JIRA (v6.1#6144)