hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6447) Provide container sandbox policies for groups
Date Wed, 17 May 2017 01:51:04 GMT

    [ https://issues.apache.org/jira/browse/YARN-6447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16013375#comment-16013375
] 

Hudson commented on YARN-6447:
------------------------------

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11740 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/11740/])
YARN-6447. Provide container sandbox policies for groups (gphillips via (rkanter: rev 18c494a00c8ead768f3a868b450dceea485559df)
* (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
* (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestJavaSandboxLinuxContainerRuntime.java
* (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/JavaSandboxLinuxContainerRuntime.java


> Provide container sandbox policies for groups 
> ----------------------------------------------
>
>                 Key: YARN-6447
>                 URL: https://issues.apache.org/jira/browse/YARN-6447
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager, yarn
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>             Fix For: 3.0.0-alpha3
>
>         Attachments: YARN-6447.001.patch, YARN-6447.002.patch, YARN-6447.003.patch
>
>
> Currently the container sandbox feature ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280])
allows YARN administrators to use one Java Security Manager policy file to limit the permissions
granted to YARN containers.  It would be useful to allow for different policy files to be
used based on groups.
> For example, an administrator may want to ensure standard users who write applications
for the MapReduce or Tez frameworks are not allowed to open arbitrary network connections
within their data processing code.  Users who are designing the ETL pipelines however may
need to open sockets to extract data from external sources.  By assigning these sets of users
to different groups and setting specific policies for each group you can assert fine grained
control over the permissions granted to each Java based container across a YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message