Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1943

Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Duplicate
    • 2.3.0
    • 2.3.0
    • nodemanager

    Description

      As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser replaces the user who submits a job if security is disabled: 

       return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;

      However, the only way to enable security, is to NOT use SIMPLE authentication mode:

        public static boolean isSecurityEnabled() {
    return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
  }

      Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser for submission of LinuxExecutorContainer.

      This results in a confusing issue, wherein we submit a job as "sally" and then get an exception that user "nobody" is not whitelisted and has UID < MAX_ID.

      My proposed solution is that we should be able to leverage LinuxContainerExector regardless of hadoop's view of the security settings on the cluster, i.e. decouple LinuxContainerExecutor logic from the "isSecurityEnabled" return value.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. YARN-2424 LCE should support non-cgroups, non-secure mode

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              Unassigned Unassigned
              jayunit100 jay vyas
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: