YARN-1137. Add support whitelist for system users to Yarn container-executor.c. (rvs via tucu)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1523587 13f79535-47bb-0310-9956-ffa450edef68

hadoop-common-project/hadoop-common/src/site/apt/ClusterSetup.apt.vm

@@ -929,6 +929,8 @@ KVNO Timestamp         Principal
 *-------------------------+-------------------------+------------------------+
 | <<<banned.users>>> | hfds,yarn,mapred,bin | Banned users. |
 *-------------------------+-------------------------+------------------------+
+| <<<allowed.system.users>>> | foo,bar | Allowed system users. |
+*-------------------------+-------------------------+------------------------+
 | <<<min.user.id>>> | 1000 | Prevent other super-users. |
 *-------------------------+-------------------------+------------------------+
 

hadoop-yarn-project/CHANGES.txt

@@ -98,6 +98,9 @@ Release 2.1.1-beta - UNRELEASED
     completions in addition to application events. (Alejandro Abdelnur via
     vinodkv)
 
+    YARN-1137. Add support whitelist for system users to Yarn 
+    container-executor.c. (rvs via tucu)
+
   OPTIMIZATIONS
 
   BUG FIXES

hadoop-yarn-project/hadoop-yarn/conf/container-executor.cfg

@@ -1,3 +1,4 @@
 yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodemanager.linux-container-executor.group
 banned.users=#comma separated list of users who can not run applications
 min.user.id=1000#Prevent other super-users
+allowed.system.users=##comma separated list of system users who CAN run applications

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c

@@ -30,6 +30,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
 
@@ -492,6 +493,21 @@ static struct passwd* get_user_info(const char* user) {
   return result;
 }
 
+int is_whitelisted(const char *user) {
+  char **whitelist = get_values(ALLOWED_SYSTEM_USERS_KEY);
+  char **users = whitelist;
+  if (whitelist != NULL) {
+    for(; *users; ++users) {
+      if (strncmp(*users, user, LOGIN_NAME_MAX) == 0) {
+        free_values(whitelist);
+        return 1;
+      }
+    }
+    free_values(whitelist);
+  }
+  return 0;
+}
+
 /**
  * Is the user a real user account?
  * Checks:
@@ -526,9 +542,9 @@ struct passwd* check_user(const char *user) {
     fflush(LOGFILE);
     return NULL;
   }
-  if (user_info->pw_uid < min_uid) {
+  if (user_info->pw_uid < min_uid && !is_whitelisted(user)) {
-    fprintf(LOGFILE, "Requested user %s has id %d, which is below the "
+    fprintf(LOGFILE, "Requested user %s is not whitelisted and has id %d,"
-	    "minimum allowed %d\n", user, user_info->pw_uid, min_uid);
+	    "which is below the minimum allowed %d\n", user, user_info->pw_uid, min_uid);
     fflush(LOGFILE);
     free(user_info);
     return NULL;

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h

@@ -65,6 +65,7 @@ enum errorcodes {
 #define CREDENTIALS_FILENAME "container_tokens"
 #define MIN_USERID_KEY "min.user.id"
 #define BANNED_USERS_KEY "banned.users"
+#define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users"
 #define TMP_DIR "tmp"
 
 extern struct passwd *user_detail;

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c

@@ -99,6 +99,7 @@ int write_config_file(char *file_name) {
   }
   fprintf(file, "banned.users=bannedUser\n");
   fprintf(file, "min.user.id=500\n");
+  fprintf(file, "allowed.system.users=allowedUser,bin\n");
   fclose(file);
   return 0;
 }
@@ -195,6 +196,10 @@ void test_check_user() {
     printf("FAIL: failed check for system user root\n");
     exit(1);
   }
+  if (check_user("bin") == NULL) {
+    printf("FAIL: failed check for whitelisted system user bin\n");
+    exit(1);
+  }
 }
 
 void test_resolve_config_path() {