https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131571#M27228 <A rel="user" href="https://community.cloudera.com/users/381/cnauroth.html" nodeid="381">@Chris Nauroth</A><P>thank you very much, looking forward to your Hadoop Summit sessions.</P> Thu, 16 Jun 2016 09:37:21 GMT aervits 2016-06-16T09:37:21Z https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131569#M27226 <P>In absence of a secured cluster, I enabled Linux Secured Containers and white-listed yarn user. In a production environment, what are the security risks with whitelisting yarn user and having regular users execute Oozie workflows on behalf of hbase user. </P> Thu, 05 May 2016 00:57:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131569#M27226 aervits 2016-05-05T00:57:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131570#M27227 <A rel="user" href="https://community.cloudera.com/users/393/aervits.html" nodeid="393">@Artem Ervits</A>, the risk of executing as the yarn user relates to several statements from the Apache Hadoop documentation on <A href="http://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html">Secure Mode</A>. Specifically, the section on the <A href="http://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#NodeManager">NodeManager</A> states the following:<P> </P><P><EM>For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, log files etc. Particularly note that, because of this, except the application owner and NodeManager, no other user can access any of the local files/directories including those localized as part of the distributed cache. </EM></P><P>Therefore, by executing YARN containers as user "yarn", which is the same as the user running the NodeManager, the container process can get full access to localized file content. This would open a risk of users writing arbitrary application code that scans the local disk looking for localized files that potentially contain sensitive data, or even changing the contents of user-submitted executables to mount a code injection attack. It would also be possible to access files owned by the yarn user on HDFS.</P> Mon, 13 Jun 2016 13:28:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131570#M27227 cnauroth 2016-06-13T13:28:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131571#M27228 <A rel="user" href="https://community.cloudera.com/users/381/cnauroth.html" nodeid="381">@Chris Nauroth</A><P>thank you very much, looking forward to your Hadoop Summit sessions.</P> Thu, 16 Jun 2016 09:37:21 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/what-are-security-implications-of-whitelisting-yarn-user/m-p/131571#M27228 aervits 2016-06-16T09:37:21Z