You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mapreduce-user@hadoop.apache.org by Tim Williams <wi...@gmail.com> on 2014/12/11 21:04:50 UTC

run yarn container as specific user

I'm able to use the UGI.doAs(..) to launch a yarn app and, through the
ResourceManager, both the ApplicationMaster and Containers are
associated with the correct user.  But the process on the node itself
really runs as the yarn user.  The problem is that the yarn app writes
data to DFS and its being written as yarn, since that's what the real
process is.  This is an non-secure cluster.  I've yet to stumble upon
a solution that doesn't feel icky.  What's the right way to achieve
this?

Thanks,
--tim

Re: run yarn container as specific user

Posted by Hitesh Shah <hi...@apache.org>.

Is you app code running within the container also being run within a UGI.doAs() ? 

You can use the following in your code to create a UGI for the “actual” user and run all the logic within that: 

<code>
        actualUserUGI = UserGroupInformation.createRemoteUser(System
            .getenv(ApplicationConstants.Environment.USER.toString()));
</code>

Your other option is to try and get the LinuxContainerExecutor working on a non-secure cluster ( not sure if that is trivial to do ).

— Hitesh

On Dec 11, 2014, at 12:04 PM, Tim Williams <wi...@gmail.com> wrote:

> I'm able to use the UGI.doAs(..) to launch a yarn app and, through the
> ResourceManager, both the ApplicationMaster and Containers are
> associated with the correct user.  But the process on the node itself
> really runs as the yarn user.  The problem is that the yarn app writes
> data to DFS and its being written as yarn, since that's what the real
> process is.  This is an non-secure cluster.  I've yet to stumble upon
> a solution that doesn't feel icky.  What's the right way to achieve
> this?
> 
> Thanks,
> --tim

Re: run yarn container as specific user

Posted by Hitesh Shah <hi...@apache.org>.

Is you app code running within the container also being run within a UGI.doAs() ? 

You can use the following in your code to create a UGI for the “actual” user and run all the logic within that: 

<code>
        actualUserUGI = UserGroupInformation.createRemoteUser(System
            .getenv(ApplicationConstants.Environment.USER.toString()));
</code>

Your other option is to try and get the LinuxContainerExecutor working on a non-secure cluster ( not sure if that is trivial to do ).

— Hitesh

On Dec 11, 2014, at 12:04 PM, Tim Williams <wi...@gmail.com> wrote:

> I'm able to use the UGI.doAs(..) to launch a yarn app and, through the
> ResourceManager, both the ApplicationMaster and Containers are
> associated with the correct user.  But the process on the node itself
> really runs as the yarn user.  The problem is that the yarn app writes
> data to DFS and its being written as yarn, since that's what the real
> process is.  This is an non-secure cluster.  I've yet to stumble upon
> a solution that doesn't feel icky.  What's the right way to achieve
> this?
> 
> Thanks,
> --tim

Re: run yarn container as specific user

Posted by Hitesh Shah <hi...@apache.org>.

Is you app code running within the container also being run within a UGI.doAs() ? 

You can use the following in your code to create a UGI for the “actual” user and run all the logic within that: 

<code>
        actualUserUGI = UserGroupInformation.createRemoteUser(System
            .getenv(ApplicationConstants.Environment.USER.toString()));
</code>

Your other option is to try and get the LinuxContainerExecutor working on a non-secure cluster ( not sure if that is trivial to do ).

— Hitesh

On Dec 11, 2014, at 12:04 PM, Tim Williams <wi...@gmail.com> wrote:

> I'm able to use the UGI.doAs(..) to launch a yarn app and, through the
> ResourceManager, both the ApplicationMaster and Containers are
> associated with the correct user.  But the process on the node itself
> really runs as the yarn user.  The problem is that the yarn app writes
> data to DFS and its being written as yarn, since that's what the real
> process is.  This is an non-secure cluster.  I've yet to stumble upon
> a solution that doesn't feel icky.  What's the right way to achieve
> this?
> 
> Thanks,
> --tim

Re: run yarn container as specific user

Posted by Hitesh Shah <hi...@apache.org>.

Is you app code running within the container also being run within a UGI.doAs() ? 

You can use the following in your code to create a UGI for the “actual” user and run all the logic within that: 

<code>
        actualUserUGI = UserGroupInformation.createRemoteUser(System
            .getenv(ApplicationConstants.Environment.USER.toString()));
</code>

Your other option is to try and get the LinuxContainerExecutor working on a non-secure cluster ( not sure if that is trivial to do ).

— Hitesh

On Dec 11, 2014, at 12:04 PM, Tim Williams <wi...@gmail.com> wrote:

> I'm able to use the UGI.doAs(..) to launch a yarn app and, through the
> ResourceManager, both the ApplicationMaster and Containers are
> associated with the correct user.  But the process on the node itself
> really runs as the yarn user.  The problem is that the yarn app writes
> data to DFS and its being written as yarn, since that's what the real
> process is.  This is an non-secure cluster.  I've yet to stumble upon
> a solution that doesn't feel icky.  What's the right way to achieve
> this?
> 
> Thanks,
> --tim