[
https://issues.apache.org/jira/browse/YARN-2429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14544139#comment-14544139
]
Allen Wittenauer commented on YARN-2429:
----------------------------------------
bq. Unless I'm mistaken, the blacklisting is done in the C code. Currently
Hadoop uses the Groups class to fetch group info, there are multiple plugins
for it (shell, ldap, jni, ...). This means that you'd have to either get all
groups of the user before calling the LCE and passing them as params, or the
LCE would have to connect to the same group source as the Java side of things.
The LCE blacklisting is specifically for preventing jobs running as users that
are somehow privileged or special at the Unix level. The same applies for
groups. For example, if one has a group of users that have sudo access, you
don't want users in that group to be able to execute things on YARN. What the
Hadoop API think of as a valid group is irrelevant in this context.
> LCE should blacklist based upon group
> -------------------------------------
>
> Key: YARN-2429
> URL: https://issues.apache.org/jira/browse/YARN-2429
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: security
> Reporter: Allen Wittenauer
> Labels: newbie
>
> It should be possible to list a group to ban, not just individual users.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
