[jira] [Commented] (YARN-6447) Provide container sandbox policies for groups

[Robert Kanter (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-6447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15979537#comment-15979537
 ] 

Robert Kanter commented on YARN-6447:
-------------------------------------

Looks good overall.  A few minor things:
# We should make sure to reset all system properties being set in the unit 
tests.  While we're at it, we should fix the other ones already in 
{{TestJavaSandboxLinuxContainerRuntime}}.
# Can you add a test for the scenario where a user belongs to multiple groups?
# If you specify 
{{yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.foo}} it looks like 
you get both the foo group's policy and also either the default policy or the 
{{yarn.nodemanager.runtime.linux.sandbox-mode.policy}} policy.  Shouldn't you 
only get one of the three?  i.e. ONE of the group's (or groups') policies, the 
default policy, or the custom policy
# Would capitalization be a problem for the groups?  What if a user is in the 
"FOo" group but the admin accidentally specifies 
{{yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.fOo}}?

> Provide container sandbox policies for groups 
> ----------------------------------------------
>
>                 Key: YARN-6447
>                 URL: https://issues.apache.org/jira/browse/YARN-6447
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager, yarn
>    Affects Versions: 3.0.0-alpha3
>            Reporter: Greg Phillips
>            Assignee: Greg Phillips
>            Priority: Minor
>         Attachments: YARN-6447.001.patch
>
>
> Currently the container sandbox feature 
> ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN 
> administrators to use one Java Security Manager policy file to limit the 
> permissions granted to YARN containers.  It would be useful to allow for 
> different policy files to be used based on groups.
> For example, an administrator may want to ensure standard users who write 
> applications for the MapReduce or Tez frameworks are not allowed to open 
> arbitrary network connections within their data processing code.  Users who 
> are designing the ETL pipelines however may need to open sockets to extract 
> data from external sources.  By assigning these sets of users to different 
> groups and setting specific policies for each group you can assert fine 
> grained control over the permissions granted to each Java based container 
> across a YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org