You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2016/07/08 20:14:11 UTC

[jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager

    [ https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368348#comment-15368348 ] 

Robert Kanter commented on YARN-5280:
-------------------------------------

Thanks for posting this [~gphillips].  It seems like an interesting way to lock things down.

A few points of feedback:
- I think we should add a separate config for enabling/disabling the restriction that all containers run a JVM.  This way, cluster admins have the option of locking down Apps like MR but still being flexible enough to allow other Apps/Containers that are not JVM-based.  
- As you call out in the document, jar signing will be tricky if we need to also sign any downstream projects like Pig or for dynamically generated jars.

[~yoderme], [~lmccay], any thoughts on this?  

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Priority: Minor
>         Attachments: YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have the potential to add instability into the cluster. The Java Security Manager can be used to prevent users from running privileged actions while still allowing their core data processing use cases. 
> Introduce a YARN flag which will allow a Hadoop administrator to enable the Java Security Manager for user code, while still providing complete permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org