hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vrushali C (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-6820) Restrict read access to timelineservice v2 data
Date Tue, 08 Aug 2017 23:06:01 GMT

     [ https://issues.apache.org/jira/browse/YARN-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Vrushali C updated YARN-6820:
-----------------------------
    Attachment: YARN-6820-YARN-5355.003.patch

Attaching patch 003 that addresses the review suggestions.

- new unit tests for read if the master enable is off
- new unit tests for disallowing reads when enable is on but admin acls and user acls are
empty.
- renamed isEnabled to isWhitelistReadAuthEnabled
- ensured DEFAULT_TIMELINE_SERVICE_READ_ALLOWED_USERS is used
- if YARN_ADMIN_ACL is empty, then code uses default of DEFAULT_TIMELINE_SERVICE_READ_ALLOWED_USER
 instead of DEFAULT_YARN_ADMIN_ACL . The reason being, DEFAULT_YARN_ADMIN_ACL is set to all
users and we do not wish to allow everyone by default if  read auth is enabled and YARN_ADMIN_ACL
is unset
- removed null checks in doFilter()
- moved the chain calls to the end 
- Updated the error messages.
- Setting the Response.status similar to similar cases of Forbidden response status being
set in RMWebApp.
- ForbiddenException is being thrown since we do not want the filter chain to proceed .





> Restrict read access to timelineservice v2 data 
> ------------------------------------------------
>
>                 Key: YARN-6820
>                 URL: https://issues.apache.org/jira/browse/YARN-6820
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Vrushali C
>            Assignee: Vrushali C
>              Labels: yarn-5355-merge-blocker
>         Attachments: YARN-6820-YARN-5355.0001.patch, YARN-6820-YARN-5355.002.patch, YARN-6820-YARN-5355.003.patch
>
>
> Need to provide a way to restrict read access in ATSv2. Not all users should be able
to read all entities. On the flip side, some folks may not need any read restrictions, so
we need to provide a way to disable this access restriction as well. 
> Initially this access restriction could be done in a simple way via a whitelist of users
allowed to read data. That set of users can read all data, no other user can read any data.
Can be turned off for all users to read all data.
> Could be stored in a "domain" table in hbase perhaps. Or a configuration setting for
the cluster. Or something else that's simple enough. ATSv1 has a concept of domain for isolating
users for reading. Would be good to keep that in consideration. 
> In ATSv1, domain offers a namespace for Timeline server allowing users to host multiple
entities, isolating them from other users and applications. A “Domain” in ATSV1 primarily
stores owner info, read and& write ACL information, created and modified time stamp information.
Each Domain is identified by an ID which must be unique across all users in the YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message