Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

what are security implications of whitelisting yarn user with yarn.nodemanager.linux-container-executor.nonsecure-mode.local-user=yarn?

avatar
Master Mentor

In absence of a secured cluster, I enabled Linux Secured Containers and white-listed yarn user. In a production environment, what are the security risks with whitelisting yarn user and having regular users execute Oozie workflows on behalf of hbase user.

1 ACCEPTED SOLUTION

avatar
@Artem Ervits, the risk of executing as the yarn user relates to several statements from the Apache Hadoop documentation on Secure Mode. Specifically, the section on the NodeManager states the following:

For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, log files etc. Particularly note that, because of this, except the application owner and NodeManager, no other user can access any of the local files/directories including those localized as part of the distributed cache.

Therefore, by executing YARN containers as user "yarn", which is the same as the user running the NodeManager, the container process can get full access to localized file content. This would open a risk of users writing arbitrary application code that scans the local disk looking for localized files that potentially contain sensitive data, or even changing the contents of user-submitted executables to mount a code injection attack. It would also be possible to access files owned by the yarn user on HDFS.

View solution in original post

2 REPLIES 2

avatar
@Artem Ervits, the risk of executing as the yarn user relates to several statements from the Apache Hadoop documentation on Secure Mode. Specifically, the section on the NodeManager states the following:

For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, log files etc. Particularly note that, because of this, except the application owner and NodeManager, no other user can access any of the local files/directories including those localized as part of the distributed cache.

Therefore, by executing YARN containers as user "yarn", which is the same as the user running the NodeManager, the container process can get full access to localized file content. This would open a risk of users writing arbitrary application code that scans the local disk looking for localized files that potentially contain sensitive data, or even changing the contents of user-submitted executables to mount a code injection attack. It would also be possible to access files owned by the yarn user on HDFS.

avatar
Master Mentor
@Chris Nauroth

thank you very much, looking forward to your Hadoop Summit sessions.