You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "jay vyas (JIRA)" <ji...@apache.org> on 2014/04/15 18:56:15 UTC

[jira] [Commented] (HADOOP-10505) Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.

    [ https://issues.apache.org/jira/browse/HADOOP-10505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13969732#comment-13969732 ] 

jay vyas commented on HADOOP-10505:
-----------------------------------

Upon further investigation, you cannot "hack" the yarn-site.xml file.

1) If you thinly a non-simple field for the value of hadoop.securiy.authentication (i.e. "proxy" , "kerberos", "kerberos_ssl",...) then you will get a "security method is not enabled" exception. 

2) If you try the other hack of a "dummy" security method (i.e. hadoop.security.authentication = "foo"), you get the (expected) exception "Invalid attribute value of hadoop.security.authentication" error.

So I dont see a good workaround, unless maybe there is a simple way to implement a dummy implementation of security .

> Multitenant LinuxContainerExecutor is incompatible with Simple Security mode.
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-10505
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10505
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: jay vyas
>
> As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser replaces the user who submits a job if security is disabled: 
> {noformat}
>  return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
> {noformat}
> However, the only way to enable security, is to NOT use SIMPLE authentication mode:
> {noformat}
>   public static boolean isSecurityEnabled() {
>     return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
>   }
> {noformat}
>  
> Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser for submission of LinuxExecutorContainer.
> This results in a confusing issue, wherein we submit a job as "sally" and then get an exception that user "nobody" is not whitelisted and has UID < MAX_ID.
> My proposed solution is that we should be able to leverage LinuxContainerExector regardless of hadoop's view of the security settings on the cluster, i.e. decouple LinuxContainerExecutor logic from the "isSecurityEnabled" return value.



--
This message was sent by Atlassian JIRA
(v6.2#6252)