You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-user@hadoop.apache.org by Tomasz Fruboes <To...@fuw.edu.pl> on 2015/06/25 11:30:14 UTC
YARN and LinuxContainerExecutor in simple security mode
Dear Experts,
I'm running a small YARN cluster configured to use simple security,
LinuxContainerExecutor and
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
in order to get correct uid when executing jobs. This is needed to
access files from network exported filesystem.
I was wondering - does this posses any security risk (since
nonsecure-mode.limit is set to true by default in the simple security
mode)? I.e. is there a known way for a user to get uid of different user
with such configuration?
Cheers,
Tomasz
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
I believe that's true.
Ravi
On Tuesday, June 30, 2015 4:56 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
I believe that's true.
Ravi
On Tuesday, June 30, 2015 4:56 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
I believe that's true.
Ravi
On Tuesday, June 30, 2015 4:56 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
I believe that's true.
Ravi
On Tuesday, June 30, 2015 4:56 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Tomasz Fruboes <To...@fuw.edu.pl>.
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Tomasz Fruboes <To...@fuw.edu.pl>.
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Tomasz Fruboes <To...@fuw.edu.pl>.
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Tomasz Fruboes <To...@fuw.edu.pl>.
Dear Ravi,
thanks for answer. I went through the discussion in the ticket you
mention and did some experimentation. My understanding is the following
- as long as I dont explicitly allow for this using
hadoop.proxyuser.username.groups
hadoop.proxyuser.username.hosts
user processes spawned by yarn on worknodes will always run with the uid
of that user. Is that right?
Thanks,
Tomasz
W dniu 29.06.2015 o 21:43, Ravi Prakash pisze:
> Hi Tomasz!
>
> It is tricky to set up, but there are no implications to security if you
> configure it correctly. Please read the discussion on [YARN-2424] LCE
> should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
>
> HTH
> Ravi
>
>
>
>
> [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
> <https://issues.apache.org/jira/browse/YARN-2424>
> After YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios.
> View on issues.apache.org <https://issues.apache.org/jira/browse/YARN-2424>
>
> Preview by Yahoo
>
>
>
>
>
>
> On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes
> <To...@fuw.edu.pl> wrote:
>
>
> Dear Experts,
>
> I'm running a small YARN cluster configured to use simple security,
> LinuxContainerExecutor and
>
>
> yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
>
> in order to get correct uid when executing jobs. This is needed to
> access files from network exported filesystem.
>
> I was wondering - does this posses any security risk (since
> nonsecure-mode.limit is set to true by default in the simple security
> mode)? I.e. is there a known way for a user to get uid of different user
> with such configuration?
>
> Cheers,
> Tomasz
>
>
>
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
It is tricky to set up, but there are no implications to security if you configure it correctly. Please read the discussion on [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
HTH
Ravi
| |
| | | | | |
| [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRAAfter YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios. |
| |
| View on issues.apache.org | Preview by Yahoo |
| |
| |
On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Experts,
I'm running a small YARN cluster configured to use simple security,
LinuxContainerExecutor and
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
in order to get correct uid when executing jobs. This is needed to
access files from network exported filesystem.
I was wondering - does this posses any security risk (since
nonsecure-mode.limit is set to true by default in the simple security
mode)? I.e. is there a known way for a user to get uid of different user
with such configuration?
Cheers,
Tomasz
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
It is tricky to set up, but there are no implications to security if you configure it correctly. Please read the discussion on [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
HTH
Ravi
| |
| | | | | |
| [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRAAfter YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios. |
| |
| View on issues.apache.org | Preview by Yahoo |
| |
| |
On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Experts,
I'm running a small YARN cluster configured to use simple security,
LinuxContainerExecutor and
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
in order to get correct uid when executing jobs. This is needed to
access files from network exported filesystem.
I was wondering - does this posses any security risk (since
nonsecure-mode.limit is set to true by default in the simple security
mode)? I.e. is there a known way for a user to get uid of different user
with such configuration?
Cheers,
Tomasz
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
It is tricky to set up, but there are no implications to security if you configure it correctly. Please read the discussion on [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
HTH
Ravi
| |
| | | | | |
| [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRAAfter YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios. |
| |
| View on issues.apache.org | Preview by Yahoo |
| |
| |
On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Experts,
I'm running a small YARN cluster configured to use simple security,
LinuxContainerExecutor and
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
in order to get correct uid when executing jobs. This is needed to
access files from network exported filesystem.
I was wondering - does this posses any security risk (since
nonsecure-mode.limit is set to true by default in the simple security
mode)? I.e. is there a known way for a user to get uid of different user
with such configuration?
Cheers,
Tomasz
Re: YARN and LinuxContainerExecutor in simple security mode
Posted by Ravi Prakash <ra...@ymail.com>.
Hi Tomasz!
It is tricky to set up, but there are no implications to security if you configure it correctly. Please read the discussion on [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRA
HTH
Ravi
| |
| | | | | |
| [YARN-2424] LCE should support non-cgroups, non-secure mode - ASF JIRAAfter YARN-1253, LCE no longer works for non-secure, non-cgroup scenarios. |
| |
| View on issues.apache.org | Preview by Yahoo |
| |
| |
On Thursday, June 25, 2015 2:30 AM, Tomasz Fruboes <To...@fuw.edu.pl> wrote:
Dear Experts,
I'm running a small YARN cluster configured to use simple security,
LinuxContainerExecutor and
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users=false
in order to get correct uid when executing jobs. This is needed to
access files from network exported filesystem.
I was wondering - does this posses any security risk (since
nonsecure-mode.limit is set to true by default in the simple security
mode)? I.e. is there a known way for a user to get uid of different user
with such configuration?
Cheers,
Tomasz