Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
3.3.3
-
None
Description
When JavaSandboxLinuxContainerRuntime is used, we can specify yarn.nodemanager.runtime.linux.sandbox-mode.policy to use self-provided java.policy file. When this setting is not specified, JavaSandboxLinuxContainerRuntime will use the default java.policy file.
However, when user belongs to a group (or more groups), and yarn.nodemanager.runtime.linux.sandbox-mode.policy.group.$groupName setting is not specified, JavaSandboxLinuxContainerRuntime still skips the default java.policy file, resulting in a final policy which looks like this:
grant codeBase "file:/usr/local/hadoop/-" { permission java.security.AllPermission; }; grant { permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006//-", "read"; permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/13/-", "read"; permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/11/-", "read"; permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/12/-", "read"; permission java.io.FilePermission "/tmp/hadoop-yarn/nm-local-dir/usercache/yarn/appcache/application_1653546011283_0006/filecache/10/-", "read"; };
which will cause problem running applications.
A PR will be provided if this is identified as a bug.
Attachments
Issue Links
- links to
