如何在 LinuxContainerExecutor 中设置用户
How to set user in LinuxContainerExecutor
我有一个很长的 运行ning 应用程序主机,它接受请求(监控队列)。在请求中,我有一个字段“用户名”——用户,我想在容器上启动一个作业。
来自 yarn 文档:
The default value set for Apache Hadoop in non-secure clusters is org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor. This class runs all containers as the Yarn user to avoid accidental operations being executed in the NodeManagers by arbitrary users.
The alternative value for this property is org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor. This class executes containers with the container-executor binary, which performs a privilege escalation to run containers as the users that submitted the application request.
我已经将 yarn.nodemanager.container-executor.class 更改为 LinuxContainerExecutor。同时将 yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users 设置为 false。如何在容器上设置一个将成为 运行 命令的用户?唯一看起来像身份验证的方法是 ContainerLaunchContext.setTokens。我有下一个代码:
private def setupTokens(user: String): ByteBuffer = {
val ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getCurrentUser)
LOG.info(s"Creating proxyuser ${ugi.getUserName} impersonated by ${UserGroupInformation.getCurrentUser}")
val credentials = ugi.getCredentials
val dob = new DataOutputBuffer();
credentials.writeTokenStorageToStream(dob);
ByteBuffer.wrap(dob.getData(), 0, dob.getLength()).duplicate();
}
val cCLC = Records.newRecord(classOf[ContainerLaunchContext])
cCLC.setCommands(List("whoami"))
cCLC.setTokens(setupTokens(user))
nmClient.startContainer(container, cCLC)
但它仍然以 运行ning AM 的用户身份执行,而不是指定的。
RM 将仅向请求它的应用程序 ID(及其真正所有者)授予令牌,也不可能 运行 一个应用程序将 AM 作为一个用户,将容器作为另一个用户。
我有一个很长的 运行ning 应用程序主机,它接受请求(监控队列)。在请求中,我有一个字段“用户名”——用户,我想在容器上启动一个作业。
来自 yarn 文档:
The default value set for Apache Hadoop in non-secure clusters is org.apache.hadoop.yarn.server.nodemanager.DefaultContainerExecutor. This class runs all containers as the Yarn user to avoid accidental operations being executed in the NodeManagers by arbitrary users.
The alternative value for this property is org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor. This class executes containers with the container-executor binary, which performs a privilege escalation to run containers as the users that submitted the application request.
我已经将 yarn.nodemanager.container-executor.class 更改为 LinuxContainerExecutor。同时将 yarn.nodemanager.linux-container-executor.nonsecure-mode.limit-users 设置为 false。如何在容器上设置一个将成为 运行 命令的用户?唯一看起来像身份验证的方法是 ContainerLaunchContext.setTokens。我有下一个代码:
private def setupTokens(user: String): ByteBuffer = {
val ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getCurrentUser)
LOG.info(s"Creating proxyuser ${ugi.getUserName} impersonated by ${UserGroupInformation.getCurrentUser}")
val credentials = ugi.getCredentials
val dob = new DataOutputBuffer();
credentials.writeTokenStorageToStream(dob);
ByteBuffer.wrap(dob.getData(), 0, dob.getLength()).duplicate();
}
val cCLC = Records.newRecord(classOf[ContainerLaunchContext])
cCLC.setCommands(List("whoami"))
cCLC.setTokens(setupTokens(user))
nmClient.startContainer(container, cCLC)
但它仍然以 运行ning AM 的用户身份执行,而不是指定的。
RM 将仅向请求它的应用程序 ID(及其真正所有者)授予令牌,也不可能 运行 一个应用程序将 AM 作为一个用户,将容器作为另一个用户。