hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sunil G (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3100) Make YARN authorization pluggable
Date Mon, 09 Feb 2015 10:27:35 GMT

    [ https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14312066#comment-14312066

Sunil G commented on YARN-3100:

Hi [~jianhe]

Thanks for sharing this ACL pluggable feature improvement, Few comments on this.

1. *allAcls* is a concurrent map with PrivilagedType as key and acls as value. Hence the 
recovery/ha for this data is tied up to schedulers recovery logic. Going down further, when
this ACL authorizer is becoming generic, could this be made more independent and handle HA
cases separately?
2. Also REST support for managing acls can be added.
3. Using RMAdmin, I feel we could have a command line option to add an ACL for a queue at
runtime. Also this can be made generic for any ACLs too.
4. YarnAuthorizationProvider. Could it give more interfaces such as "get all users for give
AccessType and PrivilegedEntity" etc.

Kindly share your opinion, and if you feel points 2 and 3 can be done, I am ready to help
on same. 

Also a small nit in the current patch:
+  public void setPermission(PrivilegedEntity target,
+      Map<AccessType, AccessControlList> acls, UserGroupInformation ugi) {
+    allAcls.put(target, acls);
+  }
UserGroupInformation is not used.

> Make YARN authorization pluggable
> ---------------------------------
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch, YARN-3100.2.patch
> The goal is to have YARN acl model pluggable so as to integrate other authorization tool
such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current implementation
will be the default implementation. Ranger or Sentry plug-in can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of each specific
ACL manager such as AdminAclManager, ApplicationACLsManager, QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 

This message was sent by Atlassian JIRA

View raw message