hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sandy Ryza (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
Date Thu, 26 Dec 2013 20:24:50 GMT

    [ https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13857050#comment-13857050
] 

Sandy Ryza commented on YARN-1539:
----------------------------------

My understanding was that the way that both submit and admin work is that: to have access
to a queue, you need to be in its access control list OR in the access control list of any
of its ancestors.  Where is the unnecessary burden?  Also, would this not be an incompatible
change?

{code}
  @Override
  public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
    synchronized (this) {
      if (acls.get(acl).isUserAllowed(user)) {
        return true;
      }
    }
    
    if (parent != null) {
      return parent.hasAccess(acl, user);
    }
    
    return false;
  }
{code}

> Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
> ----------------------------------------------------------------------
>
>                 Key: YARN-1539
>                 URL: https://issues.apache.org/jira/browse/YARN-1539
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Vinod Kumar Vavilapalli
>            Priority: Critical
>
> Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if one has
to be able to administer a queue, he/she should be an admin of all the queues in the ancestry
- an unnecessary burden.
> This was added in YARN-899 and I believe is wrong semantics as well as implementation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message