Greg Phillips created YARN-6447:
-----------------------------------
Summary: Provide container sandbox policies for groups
Key: YARN-6447
URL: https://issues.apache.org/jira/browse/YARN-6447
Project: Hadoop YARN
Issue Type: Improvement
Components: nodemanager, yarn
Affects Versions: 3.0.0-alpha3
Reporter: Greg Phillips
Assignee: Greg Phillips
Priority: Minor
Currently the container sandbox feature
([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN
administrators to use one Java Security Manager policy file to limit the
permissions granted to YARN containers. It would be useful to allow for
different policy files to be used based on groups.
For example, an administrator may want to ensure standard users who write
applications for the MapReduce or Tez frameworks are not allowed to open
arbitrary network connections within their data processing code. Users who are
designing the ETL pipelines however may need to open sockets to extract data
from external sources. By assigning these sets of users to different groups
and setting specific policies for each group you can assert fine grained
control over the permissions granted to each Java based container across a YARN
cluster.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
