[
https://issues.apache.org/jira/browse/YARN-6447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15986656#comment-15986656
]
Greg Phillips edited comment on YARN-6447 at 4/27/17 1:56 PM:
--------------------------------------------------------------
[~rkanter] - Thanks for the review
# System properties are now reset on cleanup.
# Group test modified to use multiple groups. Previous test has been replaced
since it would be redundant.
# Now only one of the policy modes will be enforced. Either group policy,
global policy, or base policy will be used. This does put the onus on the
admin to ensure every policy file has the minimum permissions required to run a
task.
# The group check is case sensitive. This is in keeping with the POSIX
standard where group names are case sensitive. Most LDAP implementations use
case insensitive names, but tools like SSSD have configurations which can
bridge this gap.
was (Author: gphillips):
[~rkanter] - Thanks for the review
1. System properties are now reset on cleanup
2. Group test modified to use multiple groups. Previous test has been replaced
since it would be redundant.
3. Now only one of the policy modes will be enforced. Either group policy,
global policy, or base policy will be used. This does put the onus on the
admin to ensure every policy file has the minimum permissions required to run a
task.
4. The group check is case sensitive. This is in keeping with the POSIX
standard where group names are case sensitive. Most LDAP implementations use
case insensitive names, but tools like SSSD have configurations which can
bridge this gap.
> Provide container sandbox policies for groups
> ----------------------------------------------
>
> Key: YARN-6447
> URL: https://issues.apache.org/jira/browse/YARN-6447
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager, yarn
> Affects Versions: 3.0.0-alpha3
> Reporter: Greg Phillips
> Assignee: Greg Phillips
> Priority: Minor
> Attachments: YARN-6447.001.patch, YARN-6447.002.patch
>
>
> Currently the container sandbox feature
> ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN
> administrators to use one Java Security Manager policy file to limit the
> permissions granted to YARN containers. It would be useful to allow for
> different policy files to be used based on groups.
> For example, an administrator may want to ensure standard users who write
> applications for the MapReduce or Tez frameworks are not allowed to open
> arbitrary network connections within their data processing code. Users who
> are designing the ETL pipelines however may need to open sockets to extract
> data from external sources. By assigning these sets of users to different
> groups and setting specific policies for each group you can assert fine
> grained control over the permissions granted to each Java based container
> across a YARN cluster.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
