[ https://issues.apache.org/jira/browse/YARN-6447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15979537#comment-15979537 ]
Robert Kanter commented on YARN-6447: ------------------------------------- Looks good overall. A few minor things: # We should make sure to reset all system properties being set in the unit tests. While we're at it, we should fix the other ones already in {{TestJavaSandboxLinuxContainerRuntime}}. # Can you add a test for the scenario where a user belongs to multiple groups? # If you specify {{yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.foo}} it looks like you get both the foo group's policy and also either the default policy or the {{yarn.nodemanager.runtime.linux.sandbox-mode.policy}} policy. Shouldn't you only get one of the three? i.e. ONE of the group's (or groups') policies, the default policy, or the custom policy # Would capitalization be a problem for the groups? What if a user is in the "FOo" group but the admin accidentally specifies {{yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.fOo}}? > Provide container sandbox policies for groups > ---------------------------------------------- > > Key: YARN-6447 > URL: https://issues.apache.org/jira/browse/YARN-6447 > Project: Hadoop YARN > Issue Type: Improvement > Components: nodemanager, yarn > Affects Versions: 3.0.0-alpha3 > Reporter: Greg Phillips > Assignee: Greg Phillips > Priority: Minor > Attachments: YARN-6447.001.patch > > > Currently the container sandbox feature > ([YARN-5280|https://issues.apache.org/jira/browse/YARN-5280]) allows YARN > administrators to use one Java Security Manager policy file to limit the > permissions granted to YARN containers. It would be useful to allow for > different policy files to be used based on groups. > For example, an administrator may want to ensure standard users who write > applications for the MapReduce or Tez frameworks are not allowed to open > arbitrary network connections within their data processing code. Users who > are designing the ETL pipelines however may need to open sockets to extract > data from external sources. By assigning these sets of users to different > groups and setting specific policies for each group you can assert fine > grained control over the permissions granted to each Java based container > across a YARN cluster. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org