Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to set user in LinuxContainerExecutor from code

Labels:
avatar
author-rank prudenko
New Contributor

Created on ‎11-05-2015 07:38 AM - edited ‎09-16-2022 02:48 AM

I have a long running application master that accepts requests (monitors queue). In request i have a field "username" - the user, i want to launch a job on a container from.

As from yarn documentation:

  • The default value set for Apache Hadoop in non-secure clusters is org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor. This class runs all containers as the Yarn user to avoid accidental operations being executed in the NodeManagers by arbitrary users.
  • The alternative value for this property is org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor. This class executes containers with the container-executor binary, which performs a privilege escalation to run containers as the users that submitted the application request.

 

I've changed yarn.nodemanager.container-executor.class to LinuxContainerExecutor. How can i set a user which will be run command on a container? The only method that seems like does authentification is ContainerLaunchContext.setTokens. I have a next code:

 

private def setupTokens(user: String): ByteBuffer = {
        val ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getCurrentUser)
        LOG.info(s"Creating proxyuser ${ugi.getUserName} impersonated by ${UserGroupInformation.getCurrentUser}")
        val credentials = ugi.getCredentials
        val dob = new DataOutputBuffer();
        credentials.writeTokenStorageToStream(dob);
        ByteBuffer.wrap(dob.getData(), 0, dob.getLength()).duplicate();
    }
  
    val cCLC = Records.newRecord(classOf[ContainerLaunchContext])
    cCLC.setCommands(List("whoami"))
    cCLC.setTokens(setupTokens(user))

But it doesn't work.

3,266 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Harsh J author-rank
Mentor

Created ‎11-08-2015 07:10 AM 

But it doesn't work.

 

Could you please always clarify on what doesn't work, specifically, along with exact error messages? This statement is vague when you seek help troubleshooting from others.

 

Looking over your code snippet, it seems like you're trying to run a container as a different user than the AM runs as, by trying to influence the token sent along with the ContainerLaunchContext.

 

This isn't gonna work, cause the token the NM looks for (for its true-user-determination) is in the allocated Container object (obtained from the AMRMClient, which you pass onto the NMClient), not from the ContainerLaunchContext (these tokens are for use inside the Container if needed, but not for its launch checks).

 

Since the RM will grant tokens only to the app-ID requesting it (and the true owner thereof), you cannot also run an App with the AM as one user and Containers as another. Is this what you are trying to attempt?

 

If your intention is simpler, i.e. running the containers just as the app (and AM) user, then you only need to configure LinuxContainerExecutor and need no code changes (the framework handles container token handling for NMs). Remember also, if you are using LinuxContainerExecutor without Kerberos auth enabled, then it falls back into a secured state of impersonating only one user 'nobody'. See config 'yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users' under http://archive.cloudera.com/cdh5/cdh/5/hadoop/hadoop-yarn/hadoop-yarn-common/yarn-default.xml#yarn.n... to switch off this protection.

View solution in original post

3,246 Views
3 REPLIES 3

avatar
author-rank Harsh J author-rank
Mentor

Created ‎11-08-2015 07:10 AM 

But it doesn't work.

 

Could you please always clarify on what doesn't work, specifically, along with exact error messages? This statement is vague when you seek help troubleshooting from others.

 

Looking over your code snippet, it seems like you're trying to run a container as a different user than the AM runs as, by trying to influence the token sent along with the ContainerLaunchContext.

 

This isn't gonna work, cause the token the NM looks for (for its true-user-determination) is in the allocated Container object (obtained from the AMRMClient, which you pass onto the NMClient), not from the ContainerLaunchContext (these tokens are for use inside the Container if needed, but not for its launch checks).

 

Since the RM will grant tokens only to the app-ID requesting it (and the true owner thereof), you cannot also run an App with the AM as one user and Containers as another. Is this what you are trying to attempt?

 

If your intention is simpler, i.e. running the containers just as the app (and AM) user, then you only need to configure LinuxContainerExecutor and need no code changes (the framework handles container token handling for NMs). Remember also, if you are using LinuxContainerExecutor without Kerberos auth enabled, then it falls back into a secured state of impersonating only one user 'nobody'. See config 'yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users' under http://archive.cloudera.com/cdh5/cdh/5/hadoop/hadoop-yarn/hadoop-yarn-common/yarn-default.xml#yarn.n... to switch off this protection.

3,247 Views

avatar
author-rank prudenko
New Contributor

Created ‎11-09-2015 05:51 AM

Yes i would like to run an AM under user that could impersonate other users. When on AM i got a request i want to run a command on a container as a user that sent a request (assuming it could be impersonated). E.g. AM is running as a user1 user. He could impersonate user2. AM got a request:

{"user": "user2",
"command" : "whoami"}

And it should be run as user2.

3,235 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎11-11-2015 07:11 AM

The only way I can think of to do that is to spawn a whole new application, impersonating the user, from within your AM. That may work, although I've never tried it.
3,174 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements