[ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15370865#comment-15370865 ]
Larry McCay commented on YARN-5280: ----------------------------------- Hi [~gphillips] - having just read your pdf here, it has reminded me of some work that I was involved with for EE 7 - not sure where it went since I left that gig but I am curious about how an application might declare its need for particular permissions. https://java.net/downloads/javaee-spec/ee-sec-mgr-00-ljm.pdf see the section called EE 6.2.2.Y Declaring Permissions required by Application Components. In particular, I have Slider based application launches in mind where we do have an application descriptor where such hints/requests could be made at deployment time. As mentioned by [~rkanter] and your document, I do see challenges in the code signing bit. Have you seen significant push back from folks in the govt sector for requiring security manager? That has traditionally been the user base that really required it but I thought that I had sensed a bit of back off there. > Allow YARN containers to run with Java Security Manager > ------------------------------------------------------- > > Key: YARN-5280 > URL: https://issues.apache.org/jira/browse/YARN-5280 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager, yarn > Affects Versions: 2.6.4 > Reporter: Greg Phillips > Priority: Minor > Attachments: YARN-5280.patch, YARNContainerSandbox.pdf > > > YARN applications have the ability to perform privileged actions which have > the potential to add instability into the cluster. The Java Security Manager > can be used to prevent users from running privileged actions while still > allowing their core data processing use cases. > Introduce a YARN flag which will allow a Hadoop administrator to enable the > Java Security Manager for user code, while still providing complete > permissions to core Hadoop libraries. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org