YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas via aw)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1619421 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index a4a432d..5eb5e40 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -226,6 +226,9 @@
YARN-1919. Potential NPE in EmbeddedElectorService#stop.
(Tsuyoshi Ozawa via kasha)
+ YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas
+ via aw)
+
Release 2.5.0 - 2014-08-11
INCOMPATIBLE CHANGES
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index d227e4f..034ec4f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -837,6 +837,15 @@
NM_PREFIX + "linux-container-executor.group";
/**
+ * True if linux-container-executor should limit itself to one user
+ * when running in non-secure mode.
+ */
+ public static final String NM_NONSECURE_MODE_LIMIT_USERS = NM_PREFIX +
+ "linux-container-executor.nonsecure-mode.limit-users";
+
+ public static final boolean DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS = true;
+
+ /**
* The UNIX user that containers will run as when Linux-container-executor
* is used in nonsecure mode (a use case for this is using cgroups).
*/
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 55b3490..9b4a90f 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -991,8 +991,22 @@
</property>
<property>
- <description>The UNIX user that containers will run as when Linux-container-executor
- is used in nonsecure mode (a use case for this is using cgroups).</description>
+ <description>This determines which of the two modes that LCE should use on
+ a non-secure cluster. If this value is set to true, then all containers
+ will be launched as the user specified in
+ yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. If
+ this value is set to false, then containers will run as the user who
+ submitted the application.</description>
+ <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name>
+ <value>true</value>
+ </property>
+
+ <property>
+ <description>The UNIX user that containers will run as when
+ Linux-container-executor is used in nonsecure mode (a use case for this
+ is using cgroups) if the
+ yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is
+ set to true.</description>
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
<value>nobody</value>
</property>
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
index 7962da2..804864e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java
@@ -57,8 +57,8 @@
private LCEResourcesHandler resourcesHandler;
private boolean containerSchedPriorityIsSet = false;
private int containerSchedPriorityAdjustment = 0;
-
-
+ private boolean containerLimitUsers;
+
@Override
public void setConf(Configuration conf) {
super.setConf(conf);
@@ -81,6 +81,13 @@
nonsecureLocalUserPattern = Pattern.compile(
conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY,
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN));
+ containerLimitUsers = conf.getBoolean(
+ YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS,
+ YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS);
+ if (!containerLimitUsers) {
+ LOG.warn(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS +
+ ": impersonation without authentication enabled");
+ }
}
void verifyUsernamePattern(String user) {
@@ -92,7 +99,12 @@
}
String getRunAsUser(String user) {
- return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
+ if (UserGroupInformation.isSecurityEnabled() ||
+ !containerLimitUsers) {
+ return user;
+ } else {
+ return nonsecureLocalUser;
+ }
}
/**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java
index f840730..a5ec43b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/TestLinuxContainerExecutor.java
@@ -279,6 +279,13 @@
lce.setConf(conf);
Assert.assertEquals("bar", lce.getRunAsUser("foo"));
+ //nonsecure without limits
+ conf.set(YarnConfiguration.NM_NONSECURE_MODE_LOCAL_USER_KEY, "bar");
+ conf.setBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, false);
+ lce = new LinuxContainerExecutor();
+ lce.setConf(conf);
+ Assert.assertEquals("foo", lce.getRunAsUser("foo"));
+
//secure
conf = new YarnConfiguration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,