Skip to content

HDFS-15353. Use sudo instead of su to allow nologin user for secure DataNode #2018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aajisaka merged 2 commits into from
May 21, 2020
Merged

HDFS-15353. Use sudo instead of su to allow nologin user for secure DataNode #2018

aajisaka merged 2 commits into from
May 21, 2020

Conversation

@2k0ri
Copy link
Contributor

@2k0ri 2k0ri commented May 13, 2020
edited
Loading

JIRA: https://issues.apache.org/jira/browse/HDFS-15353

This PR changes privilege escalation from su to sudo in hadoop-functions.sh.
It allows launching secure DataNode by a --disabled-login(eg. /sbin/nologin) user.

@2k0ri 2k0ri changed the title HADOOP-15353. use sudo instead of su to allow nologin user HADOOP-15353. use sudo instead of su to allow nologin user for secure DataNode May 13, 2020
@hadoop-yetus
Copy link

hadoop-yetus commented May 13, 2020

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 25m 35s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 21m 24s trunk passed
+1 💚 mvnsite 1m 20s trunk passed
+1 💚 shadedclient 15m 33s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 52s the patch passed
+1 💚 mvnsite 1m 11s the patch passed
-1 ❌ shellcheck 0m 4s The patch generated 1 new + 20 unchanged - 0 fixed = 21 total (was 20)
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 shadedclient 15m 31s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 2m 30s hadoop-common in the patch passed.
+1 💚 asflicense 0m 31s The patch does not generate ASF License warnings.
86m 22s
Subsystem Report/Notes
Docker ClientAPI=1.40 ServerAPI=1.40 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/1/artifact/out/Dockerfile
GITHUB PR #2018
Optional Tests dupname asflicense mvnsite unit shellcheck shelldocs
uname Linux 1133a3faa8de 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 743c2e9
shellcheck https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/1/artifact/out/diff-patch-shellcheck.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/1/testReport/
Max. process+thread count 312 (vs. ulimit of 5500)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/1/console
versions git=2.17.1 maven=3.6.0 shellcheck=0.4.6
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@aajisaka
Copy link
Member

aajisaka commented May 15, 2020

Hi @2k0ri, would you fix or ignore shellcheck warnings? https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/1/artifact/out/diff-patch-shellcheck.txt

Before this fix, su command redirected the ulimit output by root user. Therefore the behavior is not changed and I think we can ignore this warning.

@hadoop-yetus
Copy link

hadoop-yetus commented May 19, 2020

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 0m 0s Docker mode activated.
-1 ❌ docker 23m 29s Docker failed to build yetus/hadoop:81d8b715346.
Subsystem Report/Notes
GITHUB PR #2018
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/2/console
versions git=2.17.1
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@aajisaka
Copy link
Member

aajisaka commented May 19, 2020

LGTM, +1 pending Jenkins.

In the precommit job, docker build failed due to unstable internet connection.

17:31:24  Reading package lists...
17:31:24  [91mW: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease  Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out
17:31:24  W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease  Unable to connect to archive.ubuntu.com:http:
17:31:24  W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease  Unable to connect to archive.ubuntu.com:http:
17:31:24  W: Some index files failed to download. They have been ignored, or old ones used instead.

Kicked https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/3/console

@aajisaka aajisaka changed the title HADOOP-15353. use sudo instead of su to allow nologin user for secure DataNode HDFS-15353. use sudo instead of su to allow nologin user for secure DataNode May 19, 2020
@hadoop-yetus
Copy link

hadoop-yetus commented May 19, 2020

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 22m 28s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 shelldocs 0m 0s Shelldocs was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 19m 11s trunk passed
+1 💚 mvnsite 1m 15s trunk passed
+1 💚 shadedclient 13m 53s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 56s the patch passed
+1 💚 mvnsite 1m 10s the patch passed
+1 💚 shellcheck 0m 4s There were no new shellcheck issues.
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 shadedclient 18m 24s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 2m 56s hadoop-common in the patch passed.
+1 💚 asflicense 0m 37s The patch does not generate ASF License warnings.
82m 49s
Subsystem Report/Notes
Docker ClientAPI=1.40 ServerAPI=1.40 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/4/artifact/out/Dockerfile
GITHUB PR #2018
Optional Tests dupname asflicense mvnsite unit shellcheck shelldocs
uname Linux dcd5f70c6b20 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / d4e3640
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/4/testReport/
Max. process+thread count 450 (vs. ulimit of 5500)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-2018/4/console
versions git=2.17.1 maven=3.6.0 shellcheck=0.4.6
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@aajisaka
Copy link
Member

aajisaka commented May 21, 2020

+1, thank you @2k0ri

@aajisaka aajisaka merged commit 1a3c6bb into apache:trunk May 21, 2020
@aajisaka aajisaka changed the title HDFS-15353. use sudo instead of su to allow nologin user for secure DataNode HDFS-15353. Use sudo instead of su to allow nologin user for secure DataNode May 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@2k0ri @hadoop-yetus @aajisaka