YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas via aw)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619424 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
f7e3b6e761
commit
5d965f2f3c
|
@ -208,6 +208,9 @@ Release 2.6.0 - UNRELEASED
|
||||||
YARN-1919. Potential NPE in EmbeddedElectorService#stop.
|
YARN-1919. Potential NPE in EmbeddedElectorService#stop.
|
||||||
(Tsuyoshi Ozawa via kasha)
|
(Tsuyoshi Ozawa via kasha)
|
||||||
|
|
||||||
|
YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas
|
||||||
|
via aw)
|
||||||
|
|
||||||
Release 2.5.0 - 2014-08-11
|
Release 2.5.0 - 2014-08-11
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -836,6 +836,15 @@ public class YarnConfiguration extends Configuration {
|
||||||
public static final String NM_LINUX_CONTAINER_GROUP =
|
public static final String NM_LINUX_CONTAINER_GROUP =
|
||||||
NM_PREFIX + "linux-container-executor.group";
|
NM_PREFIX + "linux-container-executor.group";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If linux-container-executor should limit itself to one user
|
||||||
|
* when running in non-secure mode.
|
||||||
|
*/
|
||||||
|
public static final String NM_NONSECURE_MODE_LIMIT_USERS= NM_PREFIX +
|
||||||
|
"linux-container-executor.nonsecure-mode.limit-users";
|
||||||
|
|
||||||
|
public static final boolean DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The UNIX user that containers will run as when Linux-container-executor
|
* The UNIX user that containers will run as when Linux-container-executor
|
||||||
* is used in nonsecure mode (a use case for this is using cgroups).
|
* is used in nonsecure mode (a use case for this is using cgroups).
|
||||||
|
|
|
@ -990,9 +990,22 @@
|
||||||
<name>yarn.nodemanager.linux-container-executor.cgroups.mount-path</name>
|
<name>yarn.nodemanager.linux-container-executor.cgroups.mount-path</name>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<description>This determines which of the two modes that LCE should use on a non-secure
|
||||||
|
cluster. If this value is set to true, then all containers will be launched as the user
|
||||||
|
specified in yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. If
|
||||||
|
this value is set to false, then containers will run as the user who submitted the
|
||||||
|
application.
|
||||||
|
</description>
|
||||||
|
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name>
|
||||||
|
<value>true</value>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<description>The UNIX user that containers will run as when Linux-container-executor
|
<description>The UNIX user that containers will run as when Linux-container-executor
|
||||||
is used in nonsecure mode (a use case for this is using cgroups).</description>
|
is used in nonsecure mode (a use case for this is using cgroups) if the
|
||||||
|
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is set
|
||||||
|
to true.</description>
|
||||||
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
|
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
|
||||||
<value>nobody</value>
|
<value>nobody</value>
|
||||||
</property>
|
</property>
|
||||||
|
|
|
@ -57,6 +57,7 @@ public class LinuxContainerExecutor extends ContainerExecutor {
|
||||||
private LCEResourcesHandler resourcesHandler;
|
private LCEResourcesHandler resourcesHandler;
|
||||||
private boolean containerSchedPriorityIsSet = false;
|
private boolean containerSchedPriorityIsSet = false;
|
||||||
private int containerSchedPriorityAdjustment = 0;
|
private int containerSchedPriorityAdjustment = 0;
|
||||||
|
private boolean containerLimitUsers = YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS;
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -80,6 +81,9 @@ public class LinuxContainerExecutor extends ContainerExecutor {
|
||||||
nonsecureLocalUserPattern = Pattern.compile(
|
nonsecureLocalUserPattern = Pattern.compile(
|
||||||
conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY,
|
conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY,
|
||||||
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN));
|
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN));
|
||||||
|
containerLimitUsers=conf.getBoolean(
|
||||||
|
YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS,
|
||||||
|
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS);
|
||||||
}
|
}
|
||||||
|
|
||||||
void verifyUsernamePattern(String user) {
|
void verifyUsernamePattern(String user) {
|
||||||
|
@ -91,7 +95,12 @@ public class LinuxContainerExecutor extends ContainerExecutor {
|
||||||
}
|
}
|
||||||
|
|
||||||
String getRunAsUser(String user) {
|
String getRunAsUser(String user) {
|
||||||
return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser;
|
if (UserGroupInformation.isSecurityEnabled() ||
|
||||||
|
!containerLimitUsers) {
|
||||||
|
return user;
|
||||||
|
} else {
|
||||||
|
return nonsecureLocalUser;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -279,6 +279,13 @@ public class TestLinuxContainerExecutor {
|
||||||
lce.setConf(conf);
|
lce.setConf(conf);
|
||||||
Assert.assertEquals("bar", lce.getRunAsUser("foo"));
|
Assert.assertEquals("bar", lce.getRunAsUser("foo"));
|
||||||
|
|
||||||
|
//nonsecure without limits
|
||||||
|
conf.set(YarnConfiguration.NM_NONSECURE_MODE_LOCAL_USER_KEY, "bar");
|
||||||
|
conf.set(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, "false");
|
||||||
|
lce = new LinuxContainerExecutor();
|
||||||
|
lce.setConf(conf);
|
||||||
|
Assert.assertEquals("foo", lce.getRunAsUser("foo"));
|
||||||
|
|
||||||
//secure
|
//secure
|
||||||
conf = new YarnConfiguration();
|
conf = new YarnConfiguration();
|
||||||
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
|
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
|
||||||
|
|
Loading…
Reference in New Issue