[ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368556#comment-15368556 ]
Vinod Kumar Vavilapalli commented on YARN-5280: ----------------------------------------------- Today, YARN (RMs / NMs) don't know whether the containers run JVMs or not - and we should keep it that way. We've been talking about Container universes / run-times (YARN-3853), the right way to do this is to think of a JVM run-time that can wrap this functionality only for JVM based containers. Irrespective of that, I think a reasonable way to make progress on this is to first experiment this functionality on the apps' side - say MapReduce and then promote it into YARN. Besides the performance impact, there are a bunch of scenarios that need to be looked at in the context of security-managers - native code, kerberos integration etc. Is it possible to run experiments with MapReduce alone first? We can actually do this *without* any code changes - using distributed-cache to distribute files and mapreduce.admin.map.child.java.opts / mapreduce.admin.reduce.child.java.opts. > Allow YARN containers to run with Java Security Manager > ------------------------------------------------------- > > Key: YARN-5280 > URL: https://issues.apache.org/jira/browse/YARN-5280 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager, yarn > Affects Versions: 2.6.4 > Reporter: Greg Phillips > Priority: Minor > Attachments: YARN-5280.patch, YARNContainerSandbox.pdf > > > YARN applications have the ability to perform privileged actions which have > the potential to add instability into the cluster. The Java Security Manager > can be used to prevent users from running privileged actions while still > allowing their core data processing use cases. > Introduce a YARN flag which will allow a Hadoop administrator to enable the > Java Security Manager for user code, while still providing complete > permissions to core Hadoop libraries. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org