hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "YunFan Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-6842) Implement a new access type for queue
Date Fri, 28 Jul 2017 15:41:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-6842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105120#comment-16105120
] 

YunFan Zhou commented on YARN-6842:
-----------------------------------

Thank Naganarasimha G R,
In fact, the original intention of the development of this feature was to solve the user authentication
of RM Web UI. 
The RM Web UI has no user authentication by default. Therefore, all users who login RM WEB
UI by default are use user Dr. Who (this is a YARN configuration decision). 

Before we did not open YARN user authentication (i.e. yarn.acl.enable set to false,  yarn.admin.acl
is set to * by default), we found that other users can also through the RM WEB UI kill other
user's application,  which can cause many users application failed. 

Therefore, we set the* yarn.acl.enable* to true , and set the *yarn. admin.acl* to the administrator
account. 
However, there is a problem with this, which is that the *dr. who* (common account) is not
authorized to view the applications of any queue unless the queue's *aclAdministerApps*(for
the FairScheduler scenario) is set the user or *.

So, the easiest way to solve this problem is to provide a VIEW_APP permissions for queue.
And we only authorize user read permissions. 
This allows the user to view the applications of the queue properly, but not because the administrator
privileges cause unnecessary misoperation to kill other users applications. 

So,  I think this feature is very useful to me,  and I think other users will have the same
scenario. 

> Implement a new access type for queue
> -------------------------------------
>
>                 Key: YARN-6842
>                 URL: https://issues.apache.org/jira/browse/YARN-6842
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: scheduler
>    Affects Versions: 2.8.2
>            Reporter: YunFan Zhou
>            Assignee: YunFan Zhou
>         Attachments: YARN-6842.001.patch, YARN-6842.002.patch, YARN-6842.003.patch
>
>
> When we want to access applications of a queue,  only we can do is become the administer
of the queue at present.
> But sometimes we only want  authorize someone view applications of a queue but not modify
operation.
> In our current mechanism there isn't any way to meet it, so I will implement a new access
type for queue to solve
> this problem.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message