YARN-3462. Patches applied for YARN-2424 are inconsistent between trunk and branch-2. Contributed by Naganarasimha G R.

hadoop-yarn-project/CHANGES.txt

@@ -165,6 +165,9 @@ Release 2.7.1 - UNRELEASED
 
   BUG FIXES
 
+    YARN-3462. Patches applied for YARN-2424 are inconsistent between
+    trunk and branch-2. (Naganarasimha G R via harsh)
+
 Release 2.7.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml

@@ -1036,21 +1036,22 @@
   </property>
 
   <property>
-    <description>This determines which of the two modes that LCE should use on a non-secure
+    <description>This determines which of the two modes that LCE should use on
-    cluster.  If this value is set to true, then all containers will be launched as the user 
+      a non-secure cluster.  If this value is set to true, then all containers
-    specified in yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user.  If 
+      will be launched as the user specified in
-    this value is set to false, then containers will run as the user who submitted the 
+      yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user.  If
-    application.
+      this value is set to false, then containers will run as the user who
-    </description>
+      submitted the application.</description>
     <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name>
     <value>true</value>
   </property>
 
   <property>
-    <description>The UNIX user that containers will run as when Linux-container-executor
+    <description>The UNIX user that containers will run as when
-    is used in nonsecure mode (a use case for this is using cgroups) if the
+      Linux-container-executor is used in nonsecure mode (a use case for this
-    yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is set 
+      is using cgroups) if the
-    to true.</description>
+      yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is
+      set to true.</description>
     <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
     <value>nobody</value>
   </property>

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java

@@ -59,9 +59,8 @@ public class LinuxContainerExecutor extends ContainerExecutor {
   private LCEResourcesHandler resourcesHandler;
   private boolean containerSchedPriorityIsSet = false;
   private int containerSchedPriorityAdjustment = 0;
-  private boolean containerLimitUsers = YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS;
+  private boolean containerLimitUsers;
-  
+
-  
   @Override
   public void setConf(Configuration conf) {
     super.setConf(conf);
@@ -71,6 +70,7 @@ public class LinuxContainerExecutor extends ContainerExecutor {
             conf.getClass(YarnConfiguration.NM_LINUX_CONTAINER_RESOURCES_HANDLER,
               DefaultLCEResourcesHandler.class, LCEResourcesHandler.class), conf);
     resourcesHandler.setConf(conf);
+
     if (conf.get(YarnConfiguration.NM_CONTAINER_EXECUTOR_SCHED_PRIORITY) != null) {
      containerSchedPriorityIsSet = true;
      containerSchedPriorityAdjustment = conf
@@ -83,9 +83,13 @@ public class LinuxContainerExecutor extends ContainerExecutor {
     nonsecureLocalUserPattern = Pattern.compile(
         conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY,
             YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN));        
-    containerLimitUsers=conf.getBoolean(
+    containerLimitUsers = conf.getBoolean(
       YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS,
       YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS);
+    if (!containerLimitUsers) {
+      LOG.warn(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS +
+          ": impersonation without authentication enabled");
+    }
   }
 
   void verifyUsernamePattern(String user) {