[YARN-6447] Provide container sandbox policies for groups - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.0.0-alpha4
Fix Version/s: 3.0.0-alpha4
Component/s: nodemanager, yarn
Labels:
None

Hadoop Flags:

Reviewed
Flags:

Patch

Description

Currently the container sandbox feature (YARN-5280) allows YARN administrators to use one Java Security Manager policy file to limit the permissions granted to YARN containers. It would be useful to allow for different policy files to be used based on groups.

For example, an administrator may want to ensure standard users who write applications for the MapReduce or Tez frameworks are not allowed to open arbitrary network connections within their data processing code. Users who are designing the ETL pipelines however may need to open sockets to extract data from external sources. By assigning these sets of users to different groups and setting specific policies for each group you can assert fine grained control over the permissions granted to each Java based container across a YARN cluster.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-6447.001.patch
06/Apr/17 14:57
17 kB
Greg Phillips
YARN-6447.002.patch
27/Apr/17 13:55
20 kB
Greg Phillips
YARN-6447.003.patch
12/May/17 00:23
20 kB
Greg Phillips

Activity

People

Assignee:: Greg Phillips

Reporter:: Greg Phillips

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Apr/17 13:37

Updated:: 24/Apr/18 20:50

Resolved:: 17/May/17 01:03