hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6820) Restrict read access to timelineservice v2 data
Date Thu, 20 Jul 2017 14:34:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16094769#comment-16094769

Jason Lowe commented on YARN-6820:

Visibility labels on the surface look like they would map very closely to domains in ATSv1.
 However as Varun points out, one issue is that we don't get the user->labels mapping for
free because HBase only ever sees ATSv2 read requests from one user, the timeline reader.
 Therefore the ATSv2 timeline reader would need to map the requesting user to the list of
labels that they are eligible to read and specify those labels in the HBase read request.
 I might be missing something, but I don't see how HBase is going to be able to do that mapping
for us directly during the read request since the actual user isn't accessing HBase.  I suppose
it could if the timeline reader user is allowed to proxy as other users to HBase during reads?
 But I didn't think the plan was to give any credentials at all for regular users to HBase
nor make the timeline reader a proxy user.

Mapping a user to their labels may be fairly straightforward since HBase allows us to query
which labels a user has access to.  Unfortunately it only returns the labels that explicitly
specified the user and not any labels for the user's groups.  Therefore we'd still need to
find a way to map a user to their groups and lookup the labels for the groups (and recursively
if groups contain other groups).

> Restrict read access to timelineservice v2 data 
> ------------------------------------------------
>                 Key: YARN-6820
>                 URL: https://issues.apache.org/jira/browse/YARN-6820
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Vrushali C
>              Labels: yarn-5355-merge-blocker
> Need to provide a way to restrict read access in ATSv2. Not all users should be able
to read all entities. On the flip side, some folks may not need any read restrictions, so
we need to provide a way to disable this access restriction as well. 
> Initially this access restriction could be done in a simple way via a whitelist of users
allowed to read data. That set of users can read all data, no other user can read any data.
Can be turned off for all users to read all data.
> Could be stored in a "domain" table in hbase perhaps. Or a configuration setting for
the cluster. Or something else that's simple enough. ATSv1 has a concept of domain for isolating
users for reading. Would be good to keep that in consideration. 
> In ATSv1, domain offers a namespace for Timeline server allowing users to host multiple
entities, isolating them from other users and applications. A “Domain” in ATSV1 primarily
stores owner info, read and& write ACL information, created and modified time stamp information.
Each Domain is identified by an ID which must be unique across all users in the YARN cluster.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message