jay vyas created HADOOP-10505:
---------------------------------
Summary: LinuxContainerExecutor is incompatible with Simple
Security mode.
Key: HADOOP-10505
URL: https://issues.apache.org/jira/browse/HADOOP-10505
Project: Hadoop Common
Issue Type: Bug
Reporter: jay vyas
As of hadoop 2.3.0, commit cc74a18c makes it so that nonsecureLocalUser
replaces the user who submits a job if security is disabled:
{noformat}
return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
{noformat}
However, the only way to enable security, is to NOT use SIMPLE authentication
mode:
{noformat}
public static boolean isSecurityEnabled() {
return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
}
{noformat}
Thus, the framework ENFORCES that "SIMPLE" login security --> nonSecureuser for
submission of LinuxExecutorContainer.
This results in a confusing issue, wherein we submit a job as "sally" and then
get an exception that user "nobody" is not whitelisted and has UID < MAX_ID.
My proposed solution is that we should be able to leverage
LinuxContainerExector regardless of hadoop's view of the security settings on
the cluster, i.e. decouple LinuxContainerExecutor logic from the
"isSecurityEnabled" return value.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
