hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jian He (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3100) Make YARN authorization pluggable
Date Thu, 29 Jan 2015 23:37:36 GMT

    [ https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14297903#comment-14297903
] 

Jian He commented on YARN-3100:
-------------------------------

bq. It doesn't make sense to all of this base work in YARN when we already know that, even
beyond HDFS file-level ACLs, there are all sorts of places that need the same support in common.
HDFS-6826 is what HDFS do on their end to make authorization pluggable. I tried to re-use
what they have, but the patch has so much hdfs specific bits that won't for YARN. Even with
a common interface, hdfs and yarn still require their own interface to take care of their
own logic.  Stepping back, how much base work it can be ? to yarn, it's very simple, it's
just a single interface file which may be used by hdfs.  the majority majority  work resides
in YARN itself. I would be more than happy to put it in common if hdfs would like to use it.


Do you suggest a top-down manner, having a single interface sitting in common which works
perfectly for hdfs and yarn first in one-go, and then let hdfs and yarn implement their own
and no one could ever change the interface ? To me, this is not practical. 

> Make YARN authorization pluggable
> ---------------------------------
>
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch
>
>
> The goal is to have YARN acl model pluggable so as to integrate other authorization tool
such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current implementation
will be the default implementation. Ranger or Sentry plug-in can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of each specific
ACL manager such as AdminAclManager, ApplicationACLsManager, QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message