You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Greg Phillips (JIRA)" <ji...@apache.org> on 2017/04/05 13:38:41 UTC

[jira] [Created] (YARN-6447) Provide container sandbox policies for groups

Greg Phillips created YARN-6447:
-----------------------------------

             Summary: Provide container sandbox policies for groups 
                 Key: YARN-6447
                 URL: https://issues.apache.org/jira/browse/YARN-6447
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: nodemanager, yarn
    Affects Versions: 3.0.0-alpha3
            Reporter: Greg Phillips
            Assignee: Greg Phillips
            Priority: Minor


Currently the container sandbox feature ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN administrators to use one Java Security Manager policy file to limit the permissions granted to YARN containers.  It would be useful to allow for different policy files to be used based on groups.

For example, an administrator may want to ensure standard users who write applications for the MapReduce or Tez frameworks are not allowed to open arbitrary network connections within their data processing code.  Users who are designing the ETL pipelines however may need to open sockets to extract data from external sources.  By assigning these sets of users to different groups and setting specific policies for each group you can assert fine grained control over the permissions granted to each Java based container across a YARN cluster.





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org