Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 648AF200C48 for ; Thu, 6 Apr 2017 16:57:50 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 63539160B83; Thu, 6 Apr 2017 14:57:50 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AF09A160BA6 for ; Thu, 6 Apr 2017 16:57:49 +0200 (CEST) Received: (qmail 54607 invoked by uid 500); 6 Apr 2017 14:57:48 -0000 Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list yarn-issues@hadoop.apache.org Received: (qmail 54539 invoked by uid 99); 6 Apr 2017 14:57:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Apr 2017 14:57:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 661951A7B7A for ; Thu, 6 Apr 2017 14:57:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id eTlo0zrB7AS9 for ; Thu, 6 Apr 2017 14:57:45 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 49F9A5FC90 for ; Thu, 6 Apr 2017 14:57:43 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id A5847E0CA2 for ; Thu, 6 Apr 2017 14:57:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id D46CE24077 for ; Thu, 6 Apr 2017 14:57:41 +0000 (UTC) Date: Thu, 6 Apr 2017 14:57:41 +0000 (UTC) From: "Greg Phillips (JIRA)" To: yarn-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (YARN-6447) Provide container sandbox policies for groups MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 06 Apr 2017 14:57:50 -0000 [ https://issues.apache.org/jira/browse/YARN-6447?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Phillips updated YARN-6447: -------------------------------- Attachment: YARN-6447.001.patch Small patch to allow groups to be mapped to custom Java Security Manager policy files using the following yarn-site configuration: yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName If a given user is a member of multiple groups with custom policy files, the user will receive the superset of all permissions from the groups to which they belong. > Provide container sandbox policies for groups > ---------------------------------------------- > > Key: YARN-6447 > URL: https://issues.apache.org/jira/browse/YARN-6447 > Project: Hadoop YARN > Issue Type: Improvement > Components: nodemanager, yarn > Affects Versions: 3.0.0-alpha3 > Reporter: Greg Phillips > Assignee: Greg Phillips > Priority: Minor > Attachments: YARN-6447.001.patch > > > Currently the container sandbox feature ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN administrators to use one Java Security Manager policy file to limit the permissions granted to YARN containers. It would be useful to allow for different policy files to be used based on groups. > For example, an administrator may want to ensure standard users who write applications for the MapReduce or Tez frameworks are not allowed to open arbitrary network connections within their data processing code. Users who are designing the ETL pipelines however may need to open sockets to extract data from external sources. By assigning these sets of users to different groups and setting specific policies for each group you can assert fine grained control over the permissions granted to each Java based container across a YARN cluster. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: yarn-issues-help@hadoop.apache.org