[
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15593491#comment-15593491
]
Robert Kanter commented on YARN-5280:
-------------------------------------
Thanks for continuing your work on this [~gphillips]. Here's some more
feedback on the latest patch. I haven't had the time to test it out, so this
is all based on reading through the code changes:
# Can you look into the test failures reported above? Also the checkstyle and
warnings. Unfortunately, it looks like the Jenkins job has been purged so we
don't have that info there anymore.
# Why do we add the queue name to the env? It looks like you're only using the
queue in the {{JavaSandboxLinuxContainerRuntime}}, so I think it could go in
the {{ContainerRuntimeContext}} instead.
#- Also, it's in MR code, so it's only going to be added for MR Apps and not
other JVM-based Apps (e.g. Spark, Oozie-on-Yarn Launcher, etc).
# The class Javadoc comment in {{DelegatingLinuxContainerRuntime}} should be
updated now that it can also delegate to the
{{JavaSandboxLinuxContainerRuntime}}.
# The config properties added to {{JavaSandboxLinuxContainerRuntime}} (i.e.
{{"yarn.nodemanager.linux-container-executor.sandbox-mode.*"}}) should be
defined in {{YarnConfiguration}} along with a default value. See the other
properties in {{YarnConfiguration}} for examples.
# Instead of inlining {{PosixFilePermissions.fromString("rwxr-xr-x"))}} and
similar in {{JavaSandboxLinuxContainerRuntime}}, they should be declared as
private constants.
# We could use some additional unit tests. There's some complicated regexes,
different operating modes, etc that we should make sure to more fully cover.
> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
> Key: YARN-5280
> URL: https://issues.apache.org/jira/browse/YARN-5280
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: nodemanager, yarn
> Affects Versions: 2.6.4
> Reporter: Greg Phillips
> Assignee: Greg Phillips
> Priority: Minor
> Attachments: YARN-5280.001.patch, YARN-5280.002.patch,
> YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have
> the potential to add instability into the cluster. The Java Security Manager
> can be used to prevent users from running privileged actions while still
> allowing their core data processing use cases.
> Introduce a YARN flag which will allow a Hadoop administrator to enable the
> Java Security Manager for user code, while still providing complete
> permissions to core Hadoop libraries.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
