You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2016/10/21 00:31:00 UTC
[jira] [Commented] (YARN-5280) Allow YARN containers to run with
Java Security Manager
[ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15593491#comment-15593491 ]
Robert Kanter commented on YARN-5280:
-------------------------------------
Thanks for continuing your work on this [~gphillips]. Here's some more feedback on the latest patch. I haven't had the time to test it out, so this is all based on reading through the code changes:
# Can you look into the test failures reported above? Also the checkstyle and warnings. Unfortunately, it looks like the Jenkins job has been purged so we don't have that info there anymore.
# Why do we add the queue name to the env? It looks like you're only using the queue in the {{JavaSandboxLinuxContainerRuntime}}, so I think it could go in the {{ContainerRuntimeContext}} instead.
#- Also, it's in MR code, so it's only going to be added for MR Apps and not other JVM-based Apps (e.g. Spark, Oozie-on-Yarn Launcher, etc).
# The class Javadoc comment in {{DelegatingLinuxContainerRuntime}} should be updated now that it can also delegate to the {{JavaSandboxLinuxContainerRuntime}}.
# The config properties added to {{JavaSandboxLinuxContainerRuntime}} (i.e. {{"yarn.nodemanager.linux-container-executor.sandbox-mode.*"}}) should be defined in {{YarnConfiguration}} along with a default value. See the other properties in {{YarnConfiguration}} for examples.
# Instead of inlining {{PosixFilePermissions.fromString("rwxr-xr-x"))}} and similar in {{JavaSandboxLinuxContainerRuntime}}, they should be declared as private constants.
# We could use some additional unit tests. There's some complicated regexes, different operating modes, etc that we should make sure to more fully cover.
> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
> Key: YARN-5280
> URL: https://issues.apache.org/jira/browse/YARN-5280
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: nodemanager, yarn
> Affects Versions: 2.6.4
> Reporter: Greg Phillips
> Assignee: Greg Phillips
> Priority: Minor
> Attachments: YARN-5280.001.patch, YARN-5280.002.patch, YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have the potential to add instability into the cluster. The Java Security Manager can be used to prevent users from running privileged actions while still allowing their core data processing use cases.
> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security Manager for user code, while still providing complete permissions to core Hadoop libraries.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org