You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/27 03:50:00 UTC
[jira] [Updated] (YARN-11165) JavaSandboxLinuxContainerRuntime will not read default java.policy when no group policy is set
[ https://issues.apache.org/jira/browse/YARN-11165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated YARN-11165:
----------------------------------
Labels: pull-request-available (was: )
> JavaSandboxLinuxContainerRuntime will not read default java.policy when no group policy is set
> ----------------------------------------------------------------------------------------------
>
> Key: YARN-11165
> URL: https://issues.apache.org/jira/browse/YARN-11165
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn
> Affects Versions: 3.3.3
> Reporter: Brandon Li
> Priority: Minor
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When JavaSandboxLinuxContainerRuntime is used, we can specify yarn.nodemanager.runtime.linux.sandbox-mode.policy to use self-provided java.policy file. When this setting is not specified, JavaSandboxLinuxContainerRuntime will use the default java.policy file.
>
> However, when user belongs to a group (or more groups), and yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName setting is not specified, JavaSandboxLinuxContainerRuntime still skips the default java.policy file, resulting in a final policy which looks like this:
> {code:java}
> grant codeBase "file:/usr/local/hadoop/-" {
> permission java.security.AllPermission;
> };
> grant {
> permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006//-", "read";
> permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/13/-", "read";
> permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/11/-", "read";
> permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/12/-", "read";
> permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/10/-", "read";
> }; {code}
> which will cause problem running applications.
>
> A PR will be provided if this is identified as a bug.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org