hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Welch (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-796) Allow for (admin) labels on nodes and resource-requests
Date Wed, 10 Sep 2014 20:12:38 GMT

    [ https://issues.apache.org/jira/browse/YARN-796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14129024#comment-14129024
] 

Craig Welch commented on YARN-796:
----------------------------------

So, I'm adding code to check whether a user should be able to modify labels (is an admin)
and I think that we should be checking the UserGroup information but not executing the operation
using "doAs".  This is because, ultimately, the process is writing data into hdfs and for
permissions reasons I think it should always be written as the same user - the user yarn runs
as - if we do the doAs there will be a mishmash of users there, and to have the directory
be secure there would need to be a group with rights which contains all the admin users, which
is extra overhead (otherwise, it has to be world writable, which tends to compromise the security
model...)  I think the same is true if we use other datastores down the line for holding the
label info - really, our interest in the user it to verify access, but we don't really need
or want to perform actions on their behalf (like you would when launching a job, etc), this
is not one of those cases.  So, I propose enforcing the check but executing whatever changes
as the user the process is running under (the resourcemanager/yarn user, basically, just dropping
the doAs).  This means that entry points will need to do the verification, but that's not
really an issue, the already have to be aware to gather the info regarding who the user is
/ are aware of the need for doAs, now, etc.  It means that the user will need to be careful
if executing a tool which directly modifies the data in hdfs to do that as an appropriate
user, but they already have to do that, it's not a new issue which is being created with this
approach (it doesn't really make that any better or worse, imho).  Thoughts?

> Allow for (admin) labels on nodes and resource-requests
> -------------------------------------------------------
>
>                 Key: YARN-796
>                 URL: https://issues.apache.org/jira/browse/YARN-796
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>    Affects Versions: 2.4.1
>            Reporter: Arun C Murthy
>            Assignee: Wangda Tan
>         Attachments: LabelBasedScheduling.pdf, Node-labels-Requirements-Design-doc-V1.pdf,
Node-labels-Requirements-Design-doc-V2.pdf, YARN-796-Diagram.pdf, YARN-796.node-label.consolidate.1.patch,
YARN-796.node-label.demo.patch.1, YARN-796.patch, YARN-796.patch4
>
>
> It will be useful for admins to specify labels for nodes. Examples of labels are OS,
processor architecture etc.
> We should expose these labels and allow applications to specify labels on resource-requests.
> Obviously we need to support admin operations on adding/removing node labels.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message