hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1937) Add entity-level access control of the timeline data for owners only
Date Fri, 23 May 2014 07:07:02 GMT

    [ https://issues.apache.org/jira/browse/YARN-1937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14006938#comment-14006938
] 

Zhijie Shen commented on YARN-1937:
-----------------------------------

bq. A meta comment - may be this isn't a RESTy way of rejecting requests?

The situation here is that we may not deny the whole request, but part of the entities may
not be put. Otherwise, we can simply return a HTTP 403. However, in this case we have to do
the customized response, don't we?

bq. We should also make this a public enum so that users know what system-filters exist
bq. Do we really need TimelinePutError.SYSTEM_FILTER_CONFLICT? Similarly injectOwnerInfo.
Or is it better to simply ignore the overriding filters? Not sure, thinking aloud.

I intentionally don't allow user to set or modify the system filter, preventing them from
affecting the system logic. For example, if "user1" post the entity by setting ENTITY_OWNER
= "user2", the posted entity will never be accessible by "user1".Therefore the enums don't
need to be visible by users. However, in the documententation, we can explicitly tell users
what are the reserved filter names by the timeline service. Users shouldn't use it.

bq. Agree with Varun about admins. You should simply start respecting YarnConfiguration.YARN_ADMIN_ACL.
See ApplicationACLsManager for e.g and reuse AdminACLsManager here itself.

Sure. As I already filed a ticket about adding admin acls. How about working on this issue
separately?

> Add entity-level access control of the timeline data for owners only
> --------------------------------------------------------------------
>
>                 Key: YARN-1937
>                 URL: https://issues.apache.org/jira/browse/YARN-1937
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: YARN-1937.1.patch, YARN-1937.2.patch, YARN-1937.3.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message