[jira] [Updated] (YARN-5280) Allow YARN containers to run with Java Security Manager

Mon, 21 Nov 2016 07:15:20 -0800 

     [ 
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Phillips updated YARN-5280:
--------------------------------
    Attachment: YARN-5280.005.patch

Removed application queue dependency for whitelisting.  Whitelisting now uses a 
user group to allow users to opt out of using the JVMContainerSandbox on a job 
by job basis.

Generated java.policy files are now written to the application private 
directory.  Users will not be able to access the policy file itself, but will 
be able to inspect the policy from within the container using 
System#getSecurityManager.

Container preparation functionality has been moved from 
LinuxContainerExecutor#writeLaunchEnv to 
LinuxContainerExecutor#prepareContainer.  ContainerExecutor#prepareContainer is 
called from ContainerLaunch#call prior to writeLaunchEnv.  Additionally a 
ContainerPrepareContext has been created as the only parameter to 
ContainerExecutor#prepareContainer.

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>              Labels: oct16-medium
>         Attachments: YARN-5280.001.patch, YARN-5280.002.patch, 
> YARN-5280.003.patch, YARN-5280.004.patch, YARN-5280.005.patch, 
> YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have 
> the potential to add instability into the cluster. The Java Security Manager 
> can be used to prevent users from running privileged actions while still 
> allowing their core data processing use cases. 
> Introduce a YARN flag which will allow a Hadoop administrator to enable the 
> Java Security Manager for user code, while still providing complete 
> permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to