hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Phillips (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-5280) Allow YARN containers to run with Java Security Manager
Date Mon, 21 Nov 2016 15:14:58 GMT

     [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Greg Phillips updated YARN-5280:
    Attachment: YARN-5280.005.patch

Removed application queue dependency for whitelisting.  Whitelisting now uses a user group
to allow users to opt out of using the JVMContainerSandbox on a job by job basis.

Generated java.policy files are now written to the application private directory.  Users will
not be able to access the policy file itself, but will be able to inspect the policy from
within the container using System#getSecurityManager.

Container preparation functionality has been moved from LinuxContainerExecutor#writeLaunchEnv
to LinuxContainerExecutor#prepareContainer.  ContainerExecutor#prepareContainer is called
from ContainerLaunch#call prior to writeLaunchEnv.  Additionally a ContainerPrepareContext
has been created as the only parameter to ContainerExecutor#prepareContainer.

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.003.patch, YARN-5280.004.patch,
YARN-5280.005.patch, YARN-5280.patch, YARNContainerSandbox.pdf
> YARN applications have the ability to perform privileged actions which have the potential
to add instability into the cluster. The Java Security Manager can be used to prevent users
from running privileged actions while still allowing their core data processing use cases.

> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security
Manager for user code, while still providing complete permissions to core Hadoop libraries.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message