hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "YunFan Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6842) Implement a new access type for queue
Date Fri, 28 Jul 2017 15:41:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-6842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105120#comment-16105120

YunFan Zhou commented on YARN-6842:

Thank Naganarasimha G R,
In fact, the original intention of the development of this feature was to solve the user authentication
of RM Web UI. 
The RM Web UI has no user authentication by default. Therefore, all users who login RM WEB
UI by default are use user Dr. Who (this is a YARN configuration decision). 

Before we did not open YARN user authentication (i.e. yarn.acl.enable set to false,  yarn.admin.acl
is set to * by default), we found that other users can also through the RM WEB UI kill other
user's application,  which can cause many users application failed. 

Therefore, we set the* yarn.acl.enable* to true , and set the *yarn. admin.acl* to the administrator
However, there is a problem with this, which is that the *dr. who* (common account) is not
authorized to view the applications of any queue unless the queue's *aclAdministerApps*(for
the FairScheduler scenario) is set the user or *.

So, the easiest way to solve this problem is to provide a VIEW_APP permissions for queue.
And we only authorize user read permissions. 
This allows the user to view the applications of the queue properly, but not because the administrator
privileges cause unnecessary misoperation to kill other users applications. 

So,  I think this feature is very useful to me,  and I think other users will have the same

> Implement a new access type for queue
> -------------------------------------
>                 Key: YARN-6842
>                 URL: https://issues.apache.org/jira/browse/YARN-6842
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: scheduler
>    Affects Versions: 2.8.2
>            Reporter: YunFan Zhou
>            Assignee: YunFan Zhou
>         Attachments: YARN-6842.001.patch, YARN-6842.002.patch, YARN-6842.003.patch
> When we want to access applications of a queue,  only we can do is become the administer
of the queue at present.
> But sometimes we only want  authorize someone view applications of a queue but not modify
> In our current mechanism there isn't any way to meet it, so I will implement a new access
type for queue to solve
> this problem.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message