YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas via aw)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1619424 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Allen Wittenauer 2014-08-21 14:57:53 +00:00
parent f7e3b6e761
commit 5d965f2f3c
5 changed files with 43 additions and 2 deletions

View File

@ -208,6 +208,9 @@ Release 2.6.0 - UNRELEASED
YARN-1919. Potential NPE in EmbeddedElectorService#stop. YARN-1919. Potential NPE in EmbeddedElectorService#stop.
(Tsuyoshi Ozawa via kasha) (Tsuyoshi Ozawa via kasha)
YARN-2424. LCE should support non-cgroups, non-secure mode (Chris Douglas
via aw)
Release 2.5.0 - 2014-08-11 Release 2.5.0 - 2014-08-11
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -836,6 +836,15 @@ public class YarnConfiguration extends Configuration {
public static final String NM_LINUX_CONTAINER_GROUP = public static final String NM_LINUX_CONTAINER_GROUP =
NM_PREFIX + "linux-container-executor.group"; NM_PREFIX + "linux-container-executor.group";
/**
* If linux-container-executor should limit itself to one user
* when running in non-secure mode.
*/
public static final String NM_NONSECURE_MODE_LIMIT_USERS= NM_PREFIX +
"linux-container-executor.nonsecure-mode.limit-users";
public static final boolean DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS = true;
/** /**
* The UNIX user that containers will run as when Linux-container-executor * The UNIX user that containers will run as when Linux-container-executor
* is used in nonsecure mode (a use case for this is using cgroups). * is used in nonsecure mode (a use case for this is using cgroups).

View File

@ -990,9 +990,22 @@
<name>yarn.nodemanager.linux-container-executor.cgroups.mount-path</name> <name>yarn.nodemanager.linux-container-executor.cgroups.mount-path</name>
</property> </property>
<property>
<description>This determines which of the two modes that LCE should use on a non-secure
cluster. If this value is set to true, then all containers will be launched as the user
specified in yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user. If
this value is set to false, then containers will run as the user who submitted the
application.
</description>
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users</name>
<value>true</value>
</property>
<property> <property>
<description>The UNIX user that containers will run as when Linux-container-executor <description>The UNIX user that containers will run as when Linux-container-executor
is used in nonsecure mode (a use case for this is using cgroups).</description> is used in nonsecure mode (a use case for this is using cgroups) if the
yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users is set
to true.</description>
<name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name> <name>yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user</name>
<value>nobody</value> <value>nobody</value>
</property> </property>

View File

@ -57,6 +57,7 @@ public class LinuxContainerExecutor extends ContainerExecutor {
private LCEResourcesHandler resourcesHandler; private LCEResourcesHandler resourcesHandler;
private boolean containerSchedPriorityIsSet = false; private boolean containerSchedPriorityIsSet = false;
private int containerSchedPriorityAdjustment = 0; private int containerSchedPriorityAdjustment = 0;
private boolean containerLimitUsers = YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS;
@Override @Override
@ -80,6 +81,9 @@ public class LinuxContainerExecutor extends ContainerExecutor {
nonsecureLocalUserPattern = Pattern.compile( nonsecureLocalUserPattern = Pattern.compile(
conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY, conf.get(YarnConfiguration.NM_NONSECURE_MODE_USER_PATTERN_KEY,
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN)); YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_USER_PATTERN));
containerLimitUsers=conf.getBoolean(
YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS,
YarnConfiguration.DEFAULT_NM_NONSECURE_MODE_LIMIT_USERS);
} }
void verifyUsernamePattern(String user) { void verifyUsernamePattern(String user) {
@ -91,7 +95,12 @@ public class LinuxContainerExecutor extends ContainerExecutor {
} }
String getRunAsUser(String user) { String getRunAsUser(String user) {
return UserGroupInformation.isSecurityEnabled() ? user : nonsecureLocalUser; if (UserGroupInformation.isSecurityEnabled() ||
!containerLimitUsers) {
return user;
} else {
return nonsecureLocalUser;
}
} }

View File

@ -279,6 +279,13 @@ public class TestLinuxContainerExecutor {
lce.setConf(conf); lce.setConf(conf);
Assert.assertEquals("bar", lce.getRunAsUser("foo")); Assert.assertEquals("bar", lce.getRunAsUser("foo"));
//nonsecure without limits
conf.set(YarnConfiguration.NM_NONSECURE_MODE_LOCAL_USER_KEY, "bar");
conf.set(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, "false");
lce = new LinuxContainerExecutor();
lce.setConf(conf);
Assert.assertEquals("foo", lce.getRunAsUser("foo"));
//secure //secure
conf = new YarnConfiguration(); conf = new YarnConfiguration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,