[jira] [Commented] (YARN-5280) Allow YARN containers to run with Java Security Manager

Fri, 08 Jul 2016 16:01:30 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-5280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368645#comment-15368645
 ] 

Greg Phillips commented on YARN-5280:
-------------------------------------

[~vinodkv] -  It certainly seems reasonable to refactor this feature into a JVM 
container runtime.  It is important however that this feature remains opt-in 
since it requires additional considerations for cluster administration.

I've tested kerberos integration & native code execution successfully with the 
current patch.  Additionally to [~rkanter]'s point I have modified Pig & Hive 
slightly to add all resources to tmpjars instead of building an uberjar, which 
has enabled the ability to sign the jars and subsequently execute successfully 
within a security manager.  I am still cleaning these patches, and will create 
new sub-tickets when they are ready.

I will follow up with testing results on your last suggestion.  The one 
potential challenge we may run into is controlling file access using this 
method.

> Allow YARN containers to run with Java Security Manager
> -------------------------------------------------------
>
>                 Key: YARN-5280
>                 URL: https://issues.apache.org/jira/browse/YARN-5280
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager, yarn
>    Affects Versions: 2.6.4
>            Reporter: Greg Phillips
>            Priority: Minor
>         Attachments: YARN-5280.patch, YARNContainerSandbox.pdf
>
>
> YARN applications have the ability to perform privileged actions which have 
> the potential to add instability into the cluster. The Java Security Manager 
> can be used to prevent users from running privileged actions while still 
> allowing their core data processing use cases. 
> Introduce a YARN flag which will allow a Hadoop administrator to enable the 
> Java Security Manager for user code, while still providing complete 
> permissions to core Hadoop libraries.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to