[jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager

Mon, 11 Jul 2016 07:30:37 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15370865#comment-15370865
 ] 

Larry McCay commented on YARN-5280:
-----------------------------------

Hi [~gphillips] - having just read your pdf here, it has reminded me of some 
work that I was involved with for EE 7 - not sure where it went since I left 
that gig but I am curious about how an application might declare its need for 
particular permissions.

https://java.net/downloads/javaee-spec/ee-sec-mgr-00-ljm.pdf see the section 
called EE 6.2.2.Y Declaring Permissions required by Application Components.

In particular, I have Slider based application launches in mind where we do 
have an application descriptor where such hints/requests could be made at 
deployment time.

As mentioned by [~rkanter] and your document, I do see challenges in the code 
signing bit.

Have you seen significant push back from folks in the govt sector for requiring 
security manager?
That has traditionally been the user base that really required it but I thought 
that I had sensed a bit of back off there.

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Priority: Minor
>         Attachments: YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have 
> the potential to add instability into the cluster. The Java Security Manager 
> can be used to prevent users from running privileged actions while still 
> allowing their core data processing use cases. 
> Introduce a YARN flag which will allow a Hadoop administrator to enable the 
> Java Security Manager for user code, while still providing complete 
> permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to