I have a long running application master that accepts requests (monitors queue). In request i have a field "username" - the user, i want to launch a job on a container from. As from yarn documentation: The default value set for Apache Hadoop in non-secure clusters is org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor. This class runs all containers as the Yarn user to avoid accidental operations being executed in the NodeManagers by arbitrary users. The alternative value for this property is org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor. This class executes containers with the container-executor binary, which performs a privilege escalation to run containers as the users that submitted the application request.   I've changed yarn.nodemanager.container-executor.class to LinuxContainerExecutor. How can i set a user which will be run command on a container? The only method that seems like does authentification is ContainerLaunchContext.setTokens. I have a next code:   private def setupTokens(user: String): ByteBuffer = { val ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getCurrentUser) LOG.info(s"Creating proxyuser ${ugi.getUserName} impersonated by ${UserGroupInformation.getCurrentUser}") val credentials = ugi.getCredentials val dob = new DataOutputBuffer(); credentials.writeTokenStorageToStream(dob); ByteBuffer.wrap(dob.getData(), 0, dob.getLength()).duplicate(); } val cCLC = Records.newRecord(classOf[ContainerLaunchContext]) cCLC.setCommands(List("whoami")) cCLC.setTokens(setupTokens(user)) But it doesn't work. ... View more