hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6820) Restrict read access to timelineservice v2 data
Date Thu, 20 Jul 2017 20:21:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095298#comment-16095298
] 

Jason Lowe commented on YARN-6820:
----------------------------------

A simple whitelist of users that are allowed to use the readers and thus access all ATSv2
data would probably let us deploy ATSv2 in a limited way.  We could deploy ATSv2 alongside
our existing ATSv1.5 and have the producers write to _both_ ATSv1.5 and ATSv2.  We would whitelist
our admin users for ATSv2 but still direct all our regular users to UIs based on ATSv1.5.
 So it would allow us to deploy ATSv2, but only admins would see any benefits.  Our normal
users cannot have unlimited access to the data within ATSv2, since one user could access metadata
(counters, configs, etc.) for another user's job.  Therefore a whitelist option isn't something
we can live with if we want normal users to be able to access ATSv2.  Until there's a "real"
ACL solution for ATSv2 we would be forced to continue deploying ATSv1.5 so our users can still
access the Tez UI, YARN history server, etc.

> Restrict read access to timelineservice v2 data 
> ------------------------------------------------
>
>                 Key: YARN-6820
>                 URL: https://issues.apache.org/jira/browse/YARN-6820
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Vrushali C
>              Labels: yarn-5355-merge-blocker
>
> Need to provide a way to restrict read access in ATSv2. Not all users should be able
to read all entities. On the flip side, some folks may not need any read restrictions, so
we need to provide a way to disable this access restriction as well. 
> Initially this access restriction could be done in a simple way via a whitelist of users
allowed to read data. That set of users can read all data, no other user can read any data.
Can be turned off for all users to read all data.
> Could be stored in a "domain" table in hbase perhaps. Or a configuration setting for
the cluster. Or something else that's simple enough. ATSv1 has a concept of domain for isolating
users for reading. Would be good to keep that in consideration. 
> In ATSv1, domain offers a namespace for Timeline server allowing users to host multiple
entities, isolating them from other users and applications. A “Domain” in ATSV1 primarily
stores owner info, read and& write ACL information, created and modified time stamp information.
Each Domain is identified by an ID which must be unique across all users in the YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message