Allen Wittenauer commented on YARN-2429:

bq. Unless I'm mistaken, the blacklisting is done in the C code. Currently 
Hadoop uses the Groups class to fetch group info, there are multiple plugins 
for it (shell, ldap, jni, ...). This means that you'd have to either get all 
groups of the user before calling the LCE and passing them as params, or the 
LCE would have to connect to the same group source as the Java side of things. 

The LCE blacklisting is specifically for preventing jobs running as users that 
are somehow privileged or special at the Unix level.  The same applies for 
groups.  For example, if one has a group of users that have sudo access, you 
don't want users in that group to be able to execute things on YARN.  What the 
Hadoop API think of as a valid group is irrelevant in this context.

> LCE should blacklist based upon group
> -------------------------------------
>                 Key: YARN-2429
>                 URL: https://issues.apache.org/jira/browse/YARN-2429
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: security
>            Reporter: Allen Wittenauer
>              Labels: newbie
> It should be possible to list a group to ban, not just individual users.

This message was sent by Atlassian JIRA

Reply via email to