You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by eb...@apache.org on 2019/08/13 17:17:16 UTC

[hadoop] branch branch-3.1 updated: YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.

This is an automated email from the ASF dual-hosted git repository.

ebadger pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git


The following commit(s) were added to refs/heads/branch-3.1 by this push:
     new a995e63  YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.
a995e63 is described below

commit a995e6352f0b8450eb8b66cda995d2477a8e2b61
Author: Eric Badger <eb...@verizonmedia.com>
AuthorDate: Tue Aug 13 17:16:57 2019 +0000

    YARN-9442. container working directory has group read permissions. Contributed by Jim Brennan.
    
    (cherry picked from commit 2ac029b949f041da2ee04da441c5f9f85e1f2c64)
    
    Conflicts:
    	hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
    
    (cherry picked from commit cec71691be76577718b22f936aea9e2b2cd100ea)
---
 .../container-executor/impl/container-executor.c   | 71 +++++++++++++++-------
 .../test/test-container-executor.c                 | 12 ++++
 2 files changed, 61 insertions(+), 22 deletions(-)

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
index 7e86e88..00d2e86 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
@@ -721,8 +721,8 @@ int check_dir(const char* npath, mode_t st_mode, mode_t desired, int finalCompon
  */
 static int create_container_directories(const char* user, const char *app_id,
     const char *container_id, char* const* local_dir, char* const* log_dir, const char *work_dir) {
-  // create dirs as 0750
-  const mode_t perms = S_IRWXU | S_IRGRP | S_IXGRP;
+  // create dirs as 0710
+  const mode_t perms = S_IRWXU | S_IXGRP;
   if (user == NULL || app_id == NULL || container_id == NULL ||
       local_dir == NULL || log_dir == NULL || work_dir == NULL ||
       user_detail == NULL || user_detail->pw_name == NULL) {
@@ -764,6 +764,9 @@ static int create_container_directories(const char* user, const char *app_id,
   } else {
     sprintf(combined_name, "%s/%s", app_id, container_id);
     char* const* log_dir_ptr;
+    // Log dirs need 750 access
+    const mode_t logdir_perms = S_IRWXU | S_IRGRP | S_IXGRP;
+
     for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) {
       char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name);
       int check = check_nm_local_dir(nm_uid, *log_dir_ptr);
@@ -777,7 +780,7 @@ static int create_container_directories(const char* user, const char *app_id,
       if (container_log_dir == NULL) {
         free(combined_name);
         return OUT_OF_MEMORY;
-      } else if (mkdirs(container_log_dir, perms) != 0) {
+      } else if (mkdirs(container_log_dir, logdir_perms) != 0) {
         free(container_log_dir);
       } else {
         result = 0;
@@ -1229,6 +1232,37 @@ int create_container_log_dirs(const char *container_id, const char *app_id,
 }
 
 /**
+ * Function to create the application directories.
+ * Returns pointer to primary_app_dir or NULL if it fails.
+ */
+static char *create_app_dirs(const char *user,
+                             const char *app_id,
+                             char* const* local_dirs)
+{
+  // 750
+  mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
+  char* const* nm_root;
+  char *primary_app_dir = NULL;
+  for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
+    char *app_dir = get_app_directory(*nm_root, user, app_id);
+    if (app_dir == NULL) {
+      // try the next one
+    } else if (mkdirs(app_dir, permissions) != 0) {
+      free(app_dir);
+    } else if (primary_app_dir == NULL) {
+      primary_app_dir = app_dir;
+    } else {
+      free(app_dir);
+    }
+  }
+
+  if (primary_app_dir == NULL) {
+    fprintf(LOGFILE, "Did not create any app directories\n");
+  }
+  return primary_app_dir;
+}
+
+/**
  * Function to prepare the application directories for the container.
  */
 int initialize_app(const char *user, const char *app_id,
@@ -1271,25 +1305,9 @@ int initialize_app(const char *user, const char *app_id,
     return -1;
   }
 
-  // 750
-  mode_t permissions = S_IRWXU | S_IRGRP | S_IXGRP;
-  char* const* nm_root;
-  char *primary_app_dir = NULL;
-  for(nm_root=local_dirs; *nm_root != NULL; ++nm_root) {
-    char *app_dir = get_app_directory(*nm_root, user, app_id);
-    if (app_dir == NULL) {
-      // try the next one
-    } else if (mkdirs(app_dir, permissions) != 0) {
-      free(app_dir);
-    } else if (primary_app_dir == NULL) {
-      primary_app_dir = app_dir;
-    } else {
-      free(app_dir);
-    }
-  }
-
+  // Create application directories
+  char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
   if (primary_app_dir == NULL) {
-    fprintf(LOGFILE, "Did not create any app directories\n");
     return -1;
   }
 
@@ -1480,8 +1498,17 @@ int create_local_dirs(const char * user, const char *app_id,
       goto cleanup;
     }
   }
+
+  // Create application directories if not already created by localization
+  char *primary_app_dir = create_app_dirs(user, app_id, local_dirs);
+  if (primary_app_dir == NULL) {
+    exit_code = COULD_NOT_CREATE_WORK_DIRECTORIES;
+    goto cleanup;
+  }
+  free(primary_app_dir);
+
   // Create container specific directories as user. If there are no resources
-  // to localize for this container, app-directories and log-directories are
+  // to localize for this container, log-directories are
   // also created automatically as part of this call.
   int directory_create_result = create_container_directories(user, app_id,
     container_id, local_dirs, log_dirs, work_dir);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
index f4f00c0..18ac09a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
@@ -939,6 +939,18 @@ void test_run_container() {
     printf("FAIL: failed to create container directory %s\n", container_dir);
     exit(1);
   }
+  // Verify no group read permission on container_dir
+  struct stat st_buf;
+  if (stat(container_dir, &st_buf) < 0) {
+    printf("FAIL: failed to stat container directory %s\n", container_dir);
+    exit(1);
+  }
+  if ((st_buf.st_mode & S_IRGRP) != 0) {
+    printf("FAIL: group read permission should not be set on "
+           "container directory %s\n", container_dir);
+    exit(1);
+  }
+
   char buffer[100000];
   sprintf(buffer, "%s/foobar", container_dir);
   if (access(buffer, R_OK) != 0) {


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org