YARN-9834. Allow using a pool of local users to run Yarn Secure Conta…

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java

@@ -2215,6 +2215,39 @@ public static boolean isAclEnabled(Configuration conf) {
   public static final String DEFAULT_NM_NONSECURE_MODE_USER_PATTERN = 
       "^[_.A-Za-z0-9][-@_.A-Za-z0-9]{0,255}?[$]?$";
 
+  /**
+   * Whether or not to use precreated pool of local users in secure mode.
+   */
+  public static final String NM_SECURE_MODE_USE_POOL_USER = NM_PREFIX +
+      "linux-container-executor.secure-mode.use-pool-user";
+
+  public static final boolean DEFAULT_NM_SECURE_MODE_USE_POOL_USER = false;
+
+  /**
+   * The number of pool local users. If set to -1, we'll take the value from:
+   * NM_PREFIX + "resource.cpu-vcores"
+   */
+  public static final String NM_SECURE_MODE_POOL_USER_COUNT = NM_PREFIX +
+      "linux-container-executor.secure-mode.pool-user-count";
+
+  public static final int DEFAULT_NM_SECURE_MODE_POOL_USER_COUNT = -1;
+
+  /**
+   * The prefix of the local pool users can be used by Yarn Secure Container.
+   * The number of local pool users to use is specified by:
+   *
+   * For example, if prefix is "user" and pool-user-count configured to 20,
+   * then local user names are:
+   *   user0
+   *   user1
+   *   ...
+   *   user19
+   */
+  public static final String NM_SECURE_MODE_POOL_USER_PREFIX = NM_PREFIX +
+      "linux-container-executor.secure-mode.pool-user-prefix";
+
+  public static final String DEFAULT_NM_SECURE_MODE_POOL_USER_PREFIX = "user";
+
   /** The type of resource enforcement to use with the
    *  linux container executor.
    */

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/LinuxContainerExecutor.java

@@ -115,6 +115,7 @@ public class LinuxContainerExecutor extends ContainerExecutor {
   private boolean containerSchedPriorityIsSet = false;
   private int containerSchedPriorityAdjustment = 0;
   private boolean containerLimitUsers;
+  private SecureModeLocalUserAllocator secureModeLocalUserAllocator;
   private ResourceHandler resourceHandlerChain;
   private LinuxContainerRuntime linuxContainerRuntime;
   private Context nmContext;
@@ -214,6 +215,12 @@ public void setConf(Configuration conf) {
       LOG.warn("{}: impersonation without authentication enabled",
           YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS);
     }
+    boolean secureModeUseLocalUser = UserGroupInformation.isSecurityEnabled() &&
+        conf.getBoolean(YarnConfiguration.NM_SECURE_MODE_USE_POOL_USER,
+        YarnConfiguration.DEFAULT_NM_SECURE_MODE_USE_POOL_USER);
+    if (secureModeUseLocalUser) {
+      secureModeLocalUserAllocator = SecureModeLocalUserAllocator.getInstance(conf);
+    }
   }
 
   private LCEResourcesHandler getResourcesHandler(Configuration conf) {
@@ -242,8 +249,14 @@ void verifyUsernamePattern(String user) {
   }
 
   String getRunAsUser(String user) {
-    if (UserGroupInformation.isSecurityEnabled() ||
-        !containerLimitUsers) {
+    if (UserGroupInformation.isSecurityEnabled()) {
+      if (secureModeLocalUserAllocator != null) {
+        return secureModeLocalUserAllocator.getRunAsLocalUser(user);
+      }
+      else {
+        return user;
+      }
+    } else if (!containerLimitUsers) {
       return user;
     } else {
       return nonsecureLocalUser;