YARN-5549. AMLauncher#createAMContainerLaunchContext() should not log the command to be launched indiscriminately. (Daniel Templeton via rchiang)
This commit is contained in:
parent
5a8c5064d1
commit
378f624a39
@ -534,6 +534,18 @@ public static boolean isAclEnabled(Configuration conf) {
|
||||
public static final int
|
||||
DEFAULT_RM_SYSTEM_METRICS_PUBLISHER_DISPATCHER_POOL_SIZE = 10;
|
||||
|
||||
/**
|
||||
* The {@code AMLauncher.createAMContainerLaunchContext()} method will log the
|
||||
* command being executed to the RM log if this property is true. Commands
|
||||
* may contain sensitive information, such as application or service
|
||||
* passwords, making logging the commands a security risk. In cases where
|
||||
* the cluster may be running applications with such commands, this property
|
||||
* should be set to false. Commands are only logged at the debug level.
|
||||
*/
|
||||
public static final String RM_AMLAUNCHER_LOG_COMMAND =
|
||||
RM_PREFIX + "amlauncher.log.command";
|
||||
public static final boolean DEFAULT_RM_AMLAUNCHER_LOG_COMMAND = false;
|
||||
|
||||
//RM delegation token related keys
|
||||
public static final String RM_DELEGATION_KEY_UPDATE_INTERVAL_KEY =
|
||||
RM_PREFIX + "delegation.key.update-interval";
|
||||
|
@ -298,6 +298,19 @@
|
||||
<value>50</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<description>
|
||||
The resource manager will log all commands being executed to the RM log
|
||||
if this property is true. Commands may contain sensitive information,
|
||||
such as application or service passwords, making logging the commands a
|
||||
security risk. In cases where the cluster may be running applications with
|
||||
such commands this property should be set to false. Commands are only
|
||||
logged at the debug level.
|
||||
</description>
|
||||
<name>yarn.resourcemanager.amlauncher.log.command</name>
|
||||
<value>false</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<description>The class to use as the resource scheduler.</description>
|
||||
<name>yarn.resourcemanager.scheduler.class</name>
|
||||
|
@ -66,6 +66,7 @@
|
||||
import org.apache.hadoop.yarn.util.timeline.TimelineUtils;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import com.google.common.base.Joiner;
|
||||
|
||||
/**
|
||||
* The launch of the AM itself.
|
||||
@ -81,6 +82,7 @@ public class AMLauncher implements Runnable {
|
||||
private final AMLauncherEventType eventType;
|
||||
private final RMContext rmContext;
|
||||
private final Container masterContainer;
|
||||
private final boolean logCommandLine;
|
||||
|
||||
@SuppressWarnings("rawtypes")
|
||||
private final EventHandler handler;
|
||||
@ -93,6 +95,9 @@ public AMLauncher(RMContext rmContext, RMAppAttempt application,
|
||||
this.rmContext = rmContext;
|
||||
this.handler = rmContext.getDispatcher().getEventHandler();
|
||||
this.masterContainer = application.getMasterContainer();
|
||||
this.logCommandLine =
|
||||
conf.getBoolean(YarnConfiguration.RM_AMLAUNCHER_LOG_COMMAND,
|
||||
YarnConfiguration.DEFAULT_RM_AMLAUNCHER_LOG_COMMAND);
|
||||
}
|
||||
|
||||
private void connect() throws IOException {
|
||||
@ -188,11 +193,22 @@ private ContainerLaunchContext createAMContainerLaunchContext(
|
||||
// Construct the actual Container
|
||||
ContainerLaunchContext container =
|
||||
applicationMasterContext.getAMContainerSpec();
|
||||
LOG.info("Command to launch container "
|
||||
+ containerID
|
||||
+ " : "
|
||||
+ StringUtils.arrayToString(container.getCommands().toArray(
|
||||
new String[0])));
|
||||
|
||||
if (LOG.isDebugEnabled()) {
|
||||
StringBuilder message = new StringBuilder("Command to launch container ");
|
||||
|
||||
message.append(containerID).append(" : ");
|
||||
|
||||
if (logCommandLine) {
|
||||
message.append(Joiner.on(",").join(container.getCommands()));
|
||||
} else {
|
||||
message.append("<REDACTED> -- Set ");
|
||||
message.append(YarnConfiguration.RM_AMLAUNCHER_LOG_COMMAND);
|
||||
message.append(" to true to reenable command logging");
|
||||
}
|
||||
|
||||
LOG.debug(message.toString());
|
||||
}
|
||||
|
||||
// Populate the current queue name in the environment variable.
|
||||
setupQueueNameEnv(container, applicationMasterContext);
|
||||
|
Loading…
Reference in New Issue
Block a user