You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@dolphinscheduler.apache.org by zhuangchong <zh...@163.com> on 2020/12/17 05:21:43 UTC
[solution] Document Dolphin schemes for ordinary users on Linux OS
and run with ordinary permissions
HI:
issue:https://github.com/apache/incubator-dolphinscheduler/issues/4235
记录Dolphin在Linux OS普通用户并使用普通权限运行的一种方案,希望可以帮助其他小伙伴。
目前dolphin在运行时需要配置sudo且免密来实现多租户提交任务(暂不提一键部署,因为一键部署只运行一次,提交流程或在线指导运营都能弄;再不行手动都可以安装)。
但是也会存在一些公司要求,不允许开通root,不允许开通sudo(第一感觉就是开通sudo,其实就拥有root的所有权限)
如果存在上面有要求的公司,那选择dolphin的可能行就很小了。
下面说一下sudo的配置,可以指定sudo控制的用户范围,例如:给用户A开通sudo权限,指定用户A只能操作用户B,用户C的操作权限(用户A,用户B,用户C都是普通用户普通权限,其中用户B,用户C就是向yarn集群提交作业的客户端租户,用户A用户B用户C之间访问都是普通用户之间访问,不存在超权限操作。),
缺点就是当新增一个大数据租户用户D的时候,需要在sudo配置文件中也跟着新增用户D,但是我认为如果一个公司已经控制OS用户权限了,在新增一个大数据租户用户D的时候就已经不是自己去创建了,也是需要申请流程,现在只是在申请流程上加上一个sudo配置,这并不是一个缺点。
具体配置如下:
echo 'dolphinscheduler ALL=(userA,userB,userC) NOPASSWD: NOPASSWD: ALL' >> /etc/sudoers
sudo 来实现多租户也是非常的痛点,也寻求一种更好的实现方式来实现多租户,欢迎讨论!
—
Dolphin is a scheme to log ordinary Linux OS users and run with ordinary permissions, hoping to help others(Not to mention one-click deployment, because one-click deployment only runs once, either through the submission process or online guidance operations; It can be installed manually.).
Currently Dolphin runtime needs to configure sudo and be secret-free for multi-tenant commit tasks.
However, there are also some company requirements that do not allow root and sudo.
If there are companies with such requirements, dolphin will be less likely to choose them.
Here said the sudo configuration, the user can specify sudo control range, for example: sudo permissions to give users A opened, specify users only user operation B, C operation permissions (user A, user B, C are ordinary ordinary users permission, in which the user B, user C client tenant is to submit to the yarn cluster operations, user access is between A user B C access between ordinary users, there is no super authority operation.) .
Downside is that when a new big data D, tenant users need to sudo configuration file also follow the new user D, but I think if a company has controlled the OS user permissions, in a new big data tenant users D was not to create, is also a need to apply for the process, now only in the application process with a sudo configuration, this is not a defect.
The specific configuration is as follows
echo 'dolphinscheduler ALL=(userA,userB,userC) NOPASSWD: NOPASSWD: ALL' >> /etc/sudoers
sudo to achieve multi-tenancy is also a very painful point, also looking for a better way to achieve multi-tenancy, welcome to discuss!