Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-6447

Provide container sandbox policies for groups

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-alpha4
    • Fix Version/s: 3.0.0-alpha4
    • Component/s: nodemanager, yarn
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Flags:
      Patch

      Description

      Currently the container sandbox feature (YARN-5280) allows YARN administrators to use one Java Security Manager policy file to limit the permissions granted to YARN containers. It would be useful to allow for different policy files to be used based on groups.

      For example, an administrator may want to ensure standard users who write applications for the MapReduce or Tez frameworks are not allowed to open arbitrary network connections within their data processing code. Users who are designing the ETL pipelines however may need to open sockets to extract data from external sources. By assigning these sets of users to different groups and setting specific policies for each group you can assert fine grained control over the permissions granted to each Java based container across a YARN cluster.

      1. YARN-6447.001.patch
        17 kB
        Greg Phillips
      2. YARN-6447.002.patch
        20 kB
        Greg Phillips
      3. YARN-6447.003.patch
        20 kB
        Greg Phillips

        Activity

        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11740 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11740/)
        YARN-6447. Provide container sandbox policies for groups (gphillips via (rkanter: rev 18c494a00c8ead768f3a868b450dceea485559df)

        • (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
        • (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestJavaSandboxLinuxContainerRuntime.java
        • (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/JavaSandboxLinuxContainerRuntime.java
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #11740 (See https://builds.apache.org/job/Hadoop-trunk-Commit/11740/ ) YARN-6447 . Provide container sandbox policies for groups (gphillips via (rkanter: rev 18c494a00c8ead768f3a868b450dceea485559df) (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestJavaSandboxLinuxContainerRuntime.java (edit) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/JavaSandboxLinuxContainerRuntime.java
        Hide
        rkanter Robert Kanter added a comment -

        Thanks Greg Phillips. Committed to trunk!

        Show
        rkanter Robert Kanter added a comment - Thanks Greg Phillips . Committed to trunk!
        Hide
        rkanter Robert Kanter added a comment -

        +1

        Show
        rkanter Robert Kanter added a comment - +1
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 30s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
        0 mvndep 0m 41s Maven dependency ordering for branch
        +1 mvninstall 15m 59s trunk passed
        +1 compile 12m 51s trunk passed
        +1 checkstyle 1m 6s trunk passed
        +1 mvnsite 1m 21s trunk passed
        +1 mvneclipse 0m 48s trunk passed
        -1 findbugs 1m 2s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager in trunk has 5 extant Findbugs warnings.
        +1 javadoc 1m 2s trunk passed
        0 mvndep 0m 10s Maven dependency ordering for patch
        +1 mvninstall 1m 2s the patch passed
        +1 compile 11m 7s the patch passed
        +1 javac 11m 7s the patch passed
        +1 checkstyle 1m 2s the patch passed
        +1 mvnsite 1m 15s the patch passed
        +1 mvneclipse 0m 46s the patch passed
        +1 whitespace 0m 0s The patch has no whitespace issues.
        +1 findbugs 2m 39s the patch passed
        +1 javadoc 0m 55s the patch passed
        +1 unit 0m 38s hadoop-yarn-api in the patch passed.
        +1 unit 13m 31s hadoop-yarn-server-nodemanager in the patch passed.
        +1 asflicense 0m 31s The patch does not generate ASF License warnings.
        79m 5s



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:14b5c93
        JIRA Issue YARN-6447
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12867685/YARN-6447.003.patch
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
        uname Linux 6754684ecc99 3.13.0-116-generic #163-Ubuntu SMP Fri Mar 31 14:13:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / 0d5c8ed
        Default Java 1.8.0_131
        findbugs v3.1.0-RC1
        findbugs https://builds.apache.org/job/PreCommit-YARN-Build/15911/artifact/patchprocess/branch-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager-warnings.html
        Test Results https://builds.apache.org/job/PreCommit-YARN-Build/15911/testReport/
        modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/15911/console
        Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 30s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 0m 41s Maven dependency ordering for branch +1 mvninstall 15m 59s trunk passed +1 compile 12m 51s trunk passed +1 checkstyle 1m 6s trunk passed +1 mvnsite 1m 21s trunk passed +1 mvneclipse 0m 48s trunk passed -1 findbugs 1m 2s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager in trunk has 5 extant Findbugs warnings. +1 javadoc 1m 2s trunk passed 0 mvndep 0m 10s Maven dependency ordering for patch +1 mvninstall 1m 2s the patch passed +1 compile 11m 7s the patch passed +1 javac 11m 7s the patch passed +1 checkstyle 1m 2s the patch passed +1 mvnsite 1m 15s the patch passed +1 mvneclipse 0m 46s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 2m 39s the patch passed +1 javadoc 0m 55s the patch passed +1 unit 0m 38s hadoop-yarn-api in the patch passed. +1 unit 13m 31s hadoop-yarn-server-nodemanager in the patch passed. +1 asflicense 0m 31s The patch does not generate ASF License warnings. 79m 5s Subsystem Report/Notes Docker Image:yetus/hadoop:14b5c93 JIRA Issue YARN-6447 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12867685/YARN-6447.003.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 6754684ecc99 3.13.0-116-generic #163-Ubuntu SMP Fri Mar 31 14:13:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 0d5c8ed Default Java 1.8.0_131 findbugs v3.1.0-RC1 findbugs https://builds.apache.org/job/PreCommit-YARN-Build/15911/artifact/patchprocess/branch-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager-warnings.html Test Results https://builds.apache.org/job/PreCommit-YARN-Build/15911/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn Console output https://builds.apache.org/job/PreCommit-YARN-Build/15911/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
        Hide
        gphillips Greg Phillips added a comment -

        Checkstyle issues resolved.

        Show
        gphillips Greg Phillips added a comment - Checkstyle issues resolved.
        Show
        rkanter Robert Kanter added a comment - LGTM One last thing: can you fix the (reasonable) checkstyle issues https://builds.apache.org/job/PreCommit-YARN-Build/15765/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn.txt
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 19s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
        0 mvndep 0m 38s Maven dependency ordering for branch
        +1 mvninstall 12m 54s trunk passed
        +1 compile 9m 58s trunk passed
        +1 checkstyle 0m 51s trunk passed
        +1 mvnsite 1m 9s trunk passed
        +1 mvneclipse 0m 46s trunk passed
        -1 findbugs 0m 47s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager in trunk has 5 extant Findbugs warnings.
        +1 javadoc 0m 46s trunk passed
        0 mvndep 0m 9s Maven dependency ordering for patch
        +1 mvninstall 0m 48s the patch passed
        +1 compile 8m 34s the patch passed
        +1 javac 8m 34s the patch passed
        -0 checkstyle 0m 47s hadoop-yarn-project/hadoop-yarn: The patch generated 7 new + 205 unchanged - 0 fixed = 212 total (was 205)
        +1 mvnsite 0m 57s the patch passed
        +1 mvneclipse 0m 32s the patch passed
        +1 whitespace 0m 0s The patch has no whitespace issues.
        +1 findbugs 2m 3s the patch passed
        +1 javadoc 0m 41s the patch passed
        +1 unit 0m 29s hadoop-yarn-api in the patch passed.
        +1 unit 13m 37s hadoop-yarn-server-nodemanager in the patch passed.
        +1 asflicense 0m 26s The patch does not generate ASF License warnings.
        66m 51s



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:0ac17dc
        JIRA Issue YARN-6447
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12865368/YARN-6447.002.patch
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
        uname Linux 818c8cb56b7d 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / 61cda39e
        Default Java 1.8.0_121
        findbugs v3.1.0-RC1
        findbugs https://builds.apache.org/job/PreCommit-YARN-Build/15765/artifact/patchprocess/branch-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager-warnings.html
        checkstyle https://builds.apache.org/job/PreCommit-YARN-Build/15765/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn.txt
        Test Results https://builds.apache.org/job/PreCommit-YARN-Build/15765/testReport/
        modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/15765/console
        Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 19s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 0m 38s Maven dependency ordering for branch +1 mvninstall 12m 54s trunk passed +1 compile 9m 58s trunk passed +1 checkstyle 0m 51s trunk passed +1 mvnsite 1m 9s trunk passed +1 mvneclipse 0m 46s trunk passed -1 findbugs 0m 47s hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager in trunk has 5 extant Findbugs warnings. +1 javadoc 0m 46s trunk passed 0 mvndep 0m 9s Maven dependency ordering for patch +1 mvninstall 0m 48s the patch passed +1 compile 8m 34s the patch passed +1 javac 8m 34s the patch passed -0 checkstyle 0m 47s hadoop-yarn-project/hadoop-yarn: The patch generated 7 new + 205 unchanged - 0 fixed = 212 total (was 205) +1 mvnsite 0m 57s the patch passed +1 mvneclipse 0m 32s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 2m 3s the patch passed +1 javadoc 0m 41s the patch passed +1 unit 0m 29s hadoop-yarn-api in the patch passed. +1 unit 13m 37s hadoop-yarn-server-nodemanager in the patch passed. +1 asflicense 0m 26s The patch does not generate ASF License warnings. 66m 51s Subsystem Report/Notes Docker Image:yetus/hadoop:0ac17dc JIRA Issue YARN-6447 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12865368/YARN-6447.002.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 818c8cb56b7d 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 61cda39e Default Java 1.8.0_121 findbugs v3.1.0-RC1 findbugs https://builds.apache.org/job/PreCommit-YARN-Build/15765/artifact/patchprocess/branch-findbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-nodemanager-warnings.html checkstyle https://builds.apache.org/job/PreCommit-YARN-Build/15765/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn.txt Test Results https://builds.apache.org/job/PreCommit-YARN-Build/15765/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn Console output https://builds.apache.org/job/PreCommit-YARN-Build/15765/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
        Hide
        gphillips Greg Phillips added a comment - - edited

        Robert Kanter - Thanks for the review

        1. System properties are now reset on cleanup.
        2. Group test modified to use multiple groups. Previous test has been replaced since it would be redundant.
        3. Now only one of the policy modes will be enforced. Either group policy, global policy, or base policy will be used. This does put the onus on the admin to ensure every policy file has the minimum permissions required to run a task.
        4. The group check is case sensitive. This is in keeping with the POSIX standard where group names are case sensitive. Most LDAP implementations use case insensitive names, but tools like SSSD have configurations which can bridge this gap.
        Show
        gphillips Greg Phillips added a comment - - edited Robert Kanter - Thanks for the review System properties are now reset on cleanup. Group test modified to use multiple groups. Previous test has been replaced since it would be redundant. Now only one of the policy modes will be enforced. Either group policy, global policy, or base policy will be used. This does put the onus on the admin to ensure every policy file has the minimum permissions required to run a task. The group check is case sensitive. This is in keeping with the POSIX standard where group names are case sensitive. Most LDAP implementations use case insensitive names, but tools like SSSD have configurations which can bridge this gap.
        Hide
        rkanter Robert Kanter added a comment -

        Looks good overall. A few minor things:

        1. We should make sure to reset all system properties being set in the unit tests. While we're at it, we should fix the other ones already in TestJavaSandboxLinuxContainerRuntime.
        2. Can you add a test for the scenario where a user belongs to multiple groups?
        3. If you specify yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.foo it looks like you get both the foo group's policy and also either the default policy or the yarn.nodemanager.runtime.linux.sandbox-mode.policy policy. Shouldn't you only get one of the three? i.e. ONE of the group's (or groups') policies, the default policy, or the custom policy
        4. Would capitalization be a problem for the groups? What if a user is in the "FOo" group but the admin accidentally specifies yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.fOo?
        Show
        rkanter Robert Kanter added a comment - Looks good overall. A few minor things: We should make sure to reset all system properties being set in the unit tests. While we're at it, we should fix the other ones already in TestJavaSandboxLinuxContainerRuntime . Can you add a test for the scenario where a user belongs to multiple groups? If you specify yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.foo it looks like you get both the foo group's policy and also either the default policy or the yarn.nodemanager.runtime.linux.sandbox-mode.policy policy. Shouldn't you only get one of the three? i.e. ONE of the group's (or groups') policies, the default policy, or the custom policy Would capitalization be a problem for the groups? What if a user is in the "FOo" group but the admin accidentally specifies yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.fOo ?
        Hide
        hadoopqa Hadoop QA added a comment -
        +1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 15s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
        0 mvndep 0m 9s Maven dependency ordering for branch
        +1 mvninstall 12m 51s trunk passed
        +1 compile 11m 7s trunk passed
        +1 checkstyle 0m 53s trunk passed
        +1 mvnsite 1m 4s trunk passed
        +1 mvneclipse 0m 38s trunk passed
        +1 findbugs 1m 56s trunk passed
        +1 javadoc 0m 49s trunk passed
        0 mvndep 0m 9s Maven dependency ordering for patch
        +1 mvninstall 0m 47s the patch passed
        +1 compile 8m 34s the patch passed
        +1 javac 8m 34s the patch passed
        -0 checkstyle 0m 52s hadoop-yarn-project/hadoop-yarn: The patch generated 1 new + 205 unchanged - 0 fixed = 206 total (was 205)
        +1 mvnsite 1m 2s the patch passed
        +1 mvneclipse 0m 35s the patch passed
        +1 whitespace 0m 0s The patch has no whitespace issues.
        +1 findbugs 2m 11s the patch passed
        +1 javadoc 0m 47s the patch passed
        +1 unit 0m 32s hadoop-yarn-api in the patch passed.
        +1 unit 12m 59s hadoop-yarn-server-nodemanager in the patch passed.
        +1 asflicense 0m 31s The patch does not generate ASF License warnings.
        67m 14s



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:a9ad5d6
        JIRA Issue YARN-6447
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12862295/YARN-6447.001.patch
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
        uname Linux 23a654c2f2c0 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / 1a9439e
        Default Java 1.8.0_121
        findbugs v3.0.0
        checkstyle https://builds.apache.org/job/PreCommit-YARN-Build/15548/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn.txt
        Test Results https://builds.apache.org/job/PreCommit-YARN-Build/15548/testReport/
        modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn
        Console output https://builds.apache.org/job/PreCommit-YARN-Build/15548/console
        Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - +1 overall Vote Subsystem Runtime Comment 0 reexec 0m 15s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 0m 9s Maven dependency ordering for branch +1 mvninstall 12m 51s trunk passed +1 compile 11m 7s trunk passed +1 checkstyle 0m 53s trunk passed +1 mvnsite 1m 4s trunk passed +1 mvneclipse 0m 38s trunk passed +1 findbugs 1m 56s trunk passed +1 javadoc 0m 49s trunk passed 0 mvndep 0m 9s Maven dependency ordering for patch +1 mvninstall 0m 47s the patch passed +1 compile 8m 34s the patch passed +1 javac 8m 34s the patch passed -0 checkstyle 0m 52s hadoop-yarn-project/hadoop-yarn: The patch generated 1 new + 205 unchanged - 0 fixed = 206 total (was 205) +1 mvnsite 1m 2s the patch passed +1 mvneclipse 0m 35s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 2m 11s the patch passed +1 javadoc 0m 47s the patch passed +1 unit 0m 32s hadoop-yarn-api in the patch passed. +1 unit 12m 59s hadoop-yarn-server-nodemanager in the patch passed. +1 asflicense 0m 31s The patch does not generate ASF License warnings. 67m 14s Subsystem Report/Notes Docker Image:yetus/hadoop:a9ad5d6 JIRA Issue YARN-6447 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12862295/YARN-6447.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 23a654c2f2c0 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 1a9439e Default Java 1.8.0_121 findbugs v3.0.0 checkstyle https://builds.apache.org/job/PreCommit-YARN-Build/15548/artifact/patchprocess/diff-checkstyle-hadoop-yarn-project_hadoop-yarn.txt Test Results https://builds.apache.org/job/PreCommit-YARN-Build/15548/testReport/ modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager U: hadoop-yarn-project/hadoop-yarn Console output https://builds.apache.org/job/PreCommit-YARN-Build/15548/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
        Hide
        gphillips Greg Phillips added a comment -

        Small patch to allow groups to be mapped to custom Java Security Manager policy files using the following yarn-site configuration:
        yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName

        If a given user is a member of multiple groups with custom policy files, the user will receive the superset of all permissions from the groups to which they belong.

        Show
        gphillips Greg Phillips added a comment - Small patch to allow groups to be mapped to custom Java Security Manager policy files using the following yarn-site configuration: yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName If a given user is a member of multiple groups with custom policy files, the user will receive the superset of all permissions from the groups to which they belong.

          People

          • Assignee:
            gphillips Greg Phillips
            Reporter:
            gphillips Greg Phillips
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development