hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager
Date Sat, 18 Feb 2017 01:33:44 GMT

    [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872852#comment-15872852
] 

Robert Kanter commented on YARN-5280:
-------------------------------------

{quote}From your previous note it became clear simply limiting the container to execute something
called 'java' is inherently insecure. {quote}
Yup
{quote}This patch ensures the java executable used to run the NodeManager is also used for
the container. If a different version of Java or even a shell script named 'java' is provided
an exception will be thrown in enforcing mode, or a warning will be logged in permissive mode.{quote}
That's a good idea.

The 008 patch LGTM +1

[~lmccay], [~vvasudev] any other comments?

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.003.patch, YARN-5280.004.patch,
YARN-5280.005.patch, YARN-5280.006.patch, YARN-5280.007.patch, YARN-5280.008.patch, YARN-5280.patch,
YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have the potential
to add instability into the cluster. The Java Security Manager can be used to prevent users
from running privileged actions while still allowing their core data processing use cases.

> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security
Manager for user code, while still providing complete permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message