hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Phillips (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-6447) Provide container sandbox policies for groups
Date Wed, 05 Apr 2017 13:38:41 GMT
Greg Phillips created YARN-6447:
-----------------------------------

             Summary: Provide container sandbox policies for groups 
                 Key: YARN-6447
                 URL: https://issues.apache.org/jira/browse/YARN-6447
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: nodemanager, yarn
    Affects Versions: 3.0.0-alpha3
            Reporter: Greg Phillips
            Assignee: Greg Phillips
            Priority: Minor


Currently the container sandbox feature ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280])
allows YARN administrators to use one Java Security Manager policy file to limit the permissions
granted to YARN containers.  It would be useful to allow for different policy files to be
used based on groups.

For example, an administrator may want to ensure standard users who write applications for
the MapReduce or Tez frameworks are not allowed to open arbitrary network connections within
their data processing code.  Users who are designing the ETL pipelines however may need to
open sockets to extract data from external sources.  By assigning these sets of users to different
groups and setting specific policies for each group you can assert fine grained control over
the permissions granted to each Java based container across a YARN cluster.





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org


Mime
View raw message