hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "YunFan Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-6842) Implement a new access type for queue
Date Sat, 29 Jul 2017 15:34:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16106154#comment-16106154
] 

YunFan Zhou edited comment on YARN-6842 at 7/29/17 3:33 PM:
------------------------------------------------------------

But there is a security risk that you can see. Users can kill other users' application through
the RM Web UI.
The https://issues.apache.org/jira/browse/YARN-6890 JIRA is a solution of this problem.

I think this solution is not perfect because it simply limits how users can kill other users
application through the RM Web UI. But there is no limit to how users can kill other users
application through CLI.

My solution is more perfect, I'm setting the *yarn.acl.enable* to true and setting the *yarn.admin.acl*
to the administrator. This means that if the user is not the administrator of the queue that
the application submitted, neither through the RM Web UI nor through the CLI (bin/application
- kill XXX) can kill the other users' applications.

But doing so requires a compromise, and we need to provide a queue *VIEW_APP *privilege. 
For users who want to access all queues applications using the RM Web UI, you can authorize
them the *VIEW_APP *permission of the root queue. 
Of course, administrators can also authorize certain users *VIEW_APP *permissions on certain
queues. 

I think my solution is perfect, and it does bring a lot of benefits. 
I think at least I can replace the solution of https://issues.apache.org/jira/browse/YARN-6890.

Some thoughts.


was (Author: daemon):
But there is a security risk that you can see. Users can kill other users' application through
the RM Web UI.
The https://issues.apache.org/jira/browse/YARN-6890 JIRA is a solution of this problem.

I think this solution is not perfect because it simply limits how users can kill other users
application through the RM Web UI. But there is no limit to how users can kill other users
application through CLI.

My solution is more perfect, I'm setting the *yarn.acl.enable* to true and setting the *yarn.admin.acl*
to the administrator. This means that if the user is not the administrator of the queue that
the application submitted, neither through the RM Web UI nor through the CLI (bin/application
- kill XXX) can kill the other users' applications.

But doing so requires a compromise, and we need to provide a queue *VIEW_APP *privilege. 
For users who want to access all queues applications using the RM Web UI, you can authorize
them the *VIEW_APP *permission of the root queue. 
Of course, administrators can also authorize certain users *VIEW_APP *permissions on certain
queues. 

I think my solution is perfect, and it does bring a lot of benefits. 
I think at least I can replace the solution of https://issues.apache.org/jira/browse/YARN-6890.

Some thoughts.

> Implement a new access type for queue
> -------------------------------------
>
>                 Key: YARN-6842
>                 URL: https://issues.apache.org/jira/browse/YARN-6842
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: scheduler
>    Affects Versions: 2.8.2
>            Reporter: YunFan Zhou
>            Assignee: YunFan Zhou
>         Attachments: YARN-6842.001.patch, YARN-6842.002.patch, YARN-6842.003.patch
>
>
> When we want to access applications of a queue,  only we can do is become the administer
of the queue at present.
> But sometimes we only want  authorize someone view applications of a queue but not modify
operation.
> In our current mechanism there isn't any way to meet it, so I will implement a new access
type for queue to solve
> this problem.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message