You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/27 03:50:00 UTC

[jira] [Updated] (YARN-11165) JavaSandboxLinuxContainerRuntime will not read default java.policy when no group policy is set

     [ https://issues.apache.org/jira/browse/YARN-11165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated YARN-11165:
----------------------------------
    Labels: pull-request-available  (was: )

> JavaSandboxLinuxContainerRuntime will not read default java.policy when no group policy is set
> ----------------------------------------------------------------------------------------------
>
>                 Key: YARN-11165
>                 URL: https://issues.apache.org/jira/browse/YARN-11165
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>    Affects Versions: 3.3.3
>            Reporter: Brandon Li
>            Priority: Minor
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When JavaSandboxLinuxContainerRuntime is used, we can specify yarn.nodemanager.runtime.linux.sandbox-mode.policy to use self-provided java.policy file. When this setting is not specified, JavaSandboxLinuxContainerRuntime will use the default java.policy file.
>  
> However, when user belongs to a group (or more groups), and yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName setting is not specified, JavaSandboxLinuxContainerRuntime still skips the default java.policy file, resulting in a final policy which looks like this:
> {code:java}
> grant codeBase "file:/usr/local/hadoop/-" {
>   permission java.security.AllPermission;
> };
> grant {
>    permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006//-", "read";
>    permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/13/-", "read";
>    permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/11/-", "read";
>    permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/12/-", "read";
>    permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/10/-", "read";
> }; {code}
> which will cause problem running applications. 
>  
> A PR will be provided if this is identified as a bug.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org