[jira] [Updated] (YARN-6447) Provide container sandbox policies for groups

Thu, 06 Apr 2017 07:58:46 -0700 

     [ 
https://issues.apache.org/jira/browse/YARN-6447?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Phillips updated YARN-6447:
--------------------------------
    Attachment: YARN-6447.001.patch

Small patch to allow groups to be mapped to custom Java Security Manager policy 
files using the following yarn-site configuration:
yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName

If a given user is a member of multiple groups with custom policy files, the 
user will receive the superset of all permissions from the groups to which they 
belong.


> Provide container sandbox policies for groups 
> ----------------------------------------------
>
>                 Key: YARN-6447
>                 URL: https://issues.apache.org/jira/browse/YARN-6447
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager, yarn
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>         Attachments: YARN-6447.001.patch
>
>
> Currently the container sandbox feature 
> ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN 
> administrators to use one Java Security Manager policy file to limit the 
> permissions granted to YARN containers.  It would be useful to allow for 
> different policy files to be used based on groups.
> For example, an administrator may want to ensure standard users who write 
> applications for the MapReduce or Tez frameworks are not allowed to open 
> arbitrary network connections within their data processing code.  Users who 
> are designing the ETL pipelines however may need to open sockets to extract 
> data from external sources.  By assigning these sets of users to different 
> groups and setting specific policies for each group you can assert fine 
> grained control over the permissions granted to each Java based container 
> across a YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to