YARN-5549. AMLauncher#createAMContainerLaunchContext() should not log the command to be launched indiscriminately. (Daniel Templeton via rchiang)
(cherry picked from commit 4ee1729cb0)
This commit is contained in:
Ray Chiang
parent
9b7e079d4b
commit
02272a6a77
|
|
@ -403,6 +403,18 @@ public class YarnConfiguration extends Configuration {
|
||||||
public static final int DEFAULT_RM_SYSTEM_METRICS_PUBLISHER_DISPATCHER_POOL_SIZE =
|
public static final int DEFAULT_RM_SYSTEM_METRICS_PUBLISHER_DISPATCHER_POOL_SIZE =
|
||||||
10;
|
10;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The {@code AMLauncher.createAMContainerLaunchContext()} method will log the
|
||||||
|
* command being executed to the RM log if this property is true. Commands
|
||||||
|
* may contain sensitive information, such as application or service
|
||||||
|
* passwords, making logging the commands a security risk. In cases where
|
||||||
|
* the cluster may be running applications with such commands, this property
|
||||||
|
* should be set to false. Commands are only logged at the debug level.
|
||||||
|
*/
|
||||||
|
public static final String RM_AMLAUNCHER_LOG_COMMAND =
|
||||||
|
RM_PREFIX + "amlauncher.log.command";
|
||||||
|
public static final boolean DEFAULT_RM_AMLAUNCHER_LOG_COMMAND = false;
|
||||||
|
|
||||||
//RM delegation token related keys
|
//RM delegation token related keys
|
||||||
public static final String RM_DELEGATION_KEY_UPDATE_INTERVAL_KEY =
|
public static final String RM_DELEGATION_KEY_UPDATE_INTERVAL_KEY =
|
||||||
RM_PREFIX + "delegation.key.update-interval";
|
RM_PREFIX + "delegation.key.update-interval";
|
||||||
|
|
|
||||||
|
|
@ -298,6 +298,19 @@
|
||||||
<value>50</value>
|
<value>50</value>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>
|
||||||
|
The resource manager will log all commands being executed to the RM log
|
||||||
|
if this property is true. Commands may contain sensitive information,
|
||||||
|
such as application or service passwords, making logging the commands a
|
||||||
|
security risk. In cases where the cluster may be running applications with
|
||||||
|
such commands this property should be set to false. Commands are only
|
||||||
|
logged at the debug level.
|
||||||
|
</description>
|
||||||
|
<name>yarn.resourcemanager.amlauncher.log.command</name>
|
||||||
|
<value>false</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<description>The class to use as the resource scheduler.</description>
|
<description>The class to use as the resource scheduler.</description>
|
||||||
<name>yarn.resourcemanager.scheduler.class</name>
|
<name>yarn.resourcemanager.scheduler.class</name>
|
||||||
|
|
|
||||||
|
|
@ -64,6 +64,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptI
|
||||||
import org.apache.hadoop.yarn.util.ConverterUtils;
|
import org.apache.hadoop.yarn.util.ConverterUtils;
|
||||||
|
|
||||||
import com.google.common.annotations.VisibleForTesting;
|
import com.google.common.annotations.VisibleForTesting;
|
||||||
|
import com.google.common.base.Joiner;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The launch of the AM itself.
|
* The launch of the AM itself.
|
||||||
|
|
@ -79,6 +80,7 @@ public class AMLauncher implements Runnable {
|
||||||
private final AMLauncherEventType eventType;
|
private final AMLauncherEventType eventType;
|
||||||
private final RMContext rmContext;
|
private final RMContext rmContext;
|
||||||
private final Container masterContainer;
|
private final Container masterContainer;
|
||||||
|
private final boolean logCommandLine;
|
||||||
|
|
||||||
@SuppressWarnings("rawtypes")
|
@SuppressWarnings("rawtypes")
|
||||||
private final EventHandler handler;
|
private final EventHandler handler;
|
||||||
|
|
@ -91,6 +93,9 @@ public class AMLauncher implements Runnable {
|
||||||
this.rmContext = rmContext;
|
this.rmContext = rmContext;
|
||||||
this.handler = rmContext.getDispatcher().getEventHandler();
|
this.handler = rmContext.getDispatcher().getEventHandler();
|
||||||
this.masterContainer = application.getMasterContainer();
|
this.masterContainer = application.getMasterContainer();
|
||||||
|
this.logCommandLine =
|
||||||
|
conf.getBoolean(YarnConfiguration.RM_AMLAUNCHER_LOG_COMMAND,
|
||||||
|
YarnConfiguration.DEFAULT_RM_AMLAUNCHER_LOG_COMMAND);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void connect() throws IOException {
|
private void connect() throws IOException {
|
||||||
|
|
@ -186,11 +191,22 @@ public class AMLauncher implements Runnable {
|
||||||
// Construct the actual Container
|
// Construct the actual Container
|
||||||
ContainerLaunchContext container =
|
ContainerLaunchContext container =
|
||||||
applicationMasterContext.getAMContainerSpec();
|
applicationMasterContext.getAMContainerSpec();
|
||||||
LOG.info("Command to launch container "
|
|
||||||
+ containerID
|
if (LOG.isDebugEnabled()) {
|
||||||
+ " : "
|
StringBuilder message = new StringBuilder("Command to launch container ");
|
||||||
+ StringUtils.arrayToString(container.getCommands().toArray(
|
|
||||||
new String[0])));
|
message.append(containerID).append(" : ");
|
||||||
|
|
||||||
|
if (logCommandLine) {
|
||||||
|
message.append(Joiner.on(",").join(container.getCommands()));
|
||||||
|
} else {
|
||||||
|
message.append("<REDACTED> -- Set ");
|
||||||
|
message.append(YarnConfiguration.RM_AMLAUNCHER_LOG_COMMAND);
|
||||||
|
message.append(" to true to reenable command logging");
|
||||||
|
}
|
||||||
|
|
||||||
|
LOG.debug(message.toString());
|
||||||
|
}
|
||||||
|
|
||||||
// Populate the current queue name in the environment variable.
|
// Populate the current queue name in the environment variable.
|
||||||
setupQueueNameEnv(container, applicationMasterContext);
|
setupQueueNameEnv(container, applicationMasterContext);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue