hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vrushali C (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6820) Restrict read access to timelineservice v2 data
Date Thu, 20 Jul 2017 06:07:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16094243#comment-16094243

Vrushali C commented on YARN-6820:

Adding to what I mentioned above.

If a user’s labels do not match a cell’s label or expression, the user will be denied
access to the cell. The timeline service scan will be done as "ats" user. Say the "ats" user
is a super user / admin in hbase. So "ats" user has access to all tables. 

We can specify a different authorization during the Scan or Get, by passing the AUTHORIZATIONS
option in HBase Shell, or the setAuthorizations() method in the API. This authorization will
be combined with the default set as an additional filter. It will further filter the results.

So say group "tez-admins" is the label applied to the cell while writing. Now if a user queries
the rest api of timeline service and that user is part of "tez-admins" group, then this authorization
should return the cells. 

If another user say "search-admin" is querying the rest api of timeline service and that "search-admin"
is *not* part of "tez-admins" group, then this hbase visibility filtering / authorization
should *NOT* return the cells. 

I need to test this, we currently don't have any auth or visibility set on our hbase clusters.
Will see what I can do. 

> Restrict read access to timelineservice v2 data 
> ------------------------------------------------
>                 Key: YARN-6820
>                 URL: https://issues.apache.org/jira/browse/YARN-6820
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Vrushali C
>              Labels: yarn-5355-merge-blocker
> Need to provide a way to restrict read access in ATSv2. Not all users should be able
to read all entities. On the flip side, some folks may not need any read restrictions, so
we need to provide a way to disable this access restriction as well. 
> Initially this access restriction could be done in a simple way via a whitelist of users
allowed to read data. That set of users can read all data, no other user can read any data.
Can be turned off for all users to read all data.
> Could be stored in a "domain" table in hbase perhaps. Or a configuration setting for
the cluster. Or something else that's simple enough. ATSv1 has a concept of domain for isolating
users for reading. Would be good to keep that in consideration. 
> In ATSv1, domain offers a namespace for Timeline server allowing users to host multiple
entities, isolating them from other users and applications. A “Domain” in ATSV1 primarily
stores owner info, read and& write ACL information, created and modified time stamp information.
Each Domain is identified by an ID which must be unique across all users in the YARN cluster.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message