hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2429) LCE should blacklist based upon group
Date Thu, 14 May 2015 18:20:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-2429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14544139#comment-14544139

Allen Wittenauer commented on YARN-2429:

bq. Unless I'm mistaken, the blacklisting is done in the C code. Currently Hadoop uses the
Groups class to fetch group info, there are multiple plugins for it (shell, ldap, jni, ...).
This means that you'd have to either get all groups of the user before calling the LCE and
passing them as params, or the LCE would have to connect to the same group source as the Java
side of things. 

The LCE blacklisting is specifically for preventing jobs running as users that are somehow
privileged or special at the Unix level.  The same applies for groups.  For example, if one
has a group of users that have sudo access, you don't want users in that group to be able
to execute things on YARN.  What the Hadoop API think of as a valid group is irrelevant in
this context.

> LCE should blacklist based upon group
> -------------------------------------
>                 Key: YARN-2429
>                 URL: https://issues.apache.org/jira/browse/YARN-2429
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: security
>            Reporter: Allen Wittenauer
>              Labels: newbie
> It should be possible to list a group to ban, not just individual users.

This message was sent by Atlassian JIRA

View raw message