hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vrushali C (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-6820) Restrict read access to timelineservice v2 data
Date Fri, 04 Aug 2017 07:08:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114028#comment-16114028

Vrushali C edited comment on YARN-6820 at 8/4/17 7:07 AM:

Attaching patch 002 , updated as per review recommendations.  

I have added two new classes: TimelineReaderWhitelistAuthorizationFilterInitializer and TimelineReaderWhitelistAuthorizationFilter.
These are similar to other filter classes in hadoop. These names feel a bit too lengthy to
me, wondering if / how to make them shorter.

The filter class now uses AccessControlList to determine if a user should be allowed or not.
It also checks for admins and allows them to read timeline service v2 data.

I have added unit tests for checking users and groups set in the config similar to the way
yarn admin acl config params are set. I also ran other unit tests for timeline v2 reader webservices
and saw that these filters are being invoked. Thanks [~jrottinghuis] for helping me wade through
the code base this afternoon. 

I will be out for the next 3 days, so will respond to review suggestions after Monday afternoon.

(I am yet to update the documentation for this. Will do so in either this jira or the documentation
jira YARN-6047.)

was (Author: vrushalic):
Attaching patch 002 , updated as per review recommendations.  

> Restrict read access to timelineservice v2 data 
> ------------------------------------------------
>                 Key: YARN-6820
>                 URL: https://issues.apache.org/jira/browse/YARN-6820
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Vrushali C
>            Assignee: Vrushali C
>              Labels: yarn-5355-merge-blocker
>         Attachments: YARN-6820-YARN-5355.0001.patch, YARN-6820-YARN-5355.002.patch
> Need to provide a way to restrict read access in ATSv2. Not all users should be able
to read all entities. On the flip side, some folks may not need any read restrictions, so
we need to provide a way to disable this access restriction as well. 
> Initially this access restriction could be done in a simple way via a whitelist of users
allowed to read data. That set of users can read all data, no other user can read any data.
Can be turned off for all users to read all data.
> Could be stored in a "domain" table in hbase perhaps. Or a configuration setting for
the cluster. Or something else that's simple enough. ATSv1 has a concept of domain for isolating
users for reading. Would be good to keep that in consideration. 
> In ATSv1, domain offers a namespace for Timeline server allowing users to host multiple
entities, isolating them from other users and applications. A “Domain” in ATSV1 primarily
stores owner info, read and& write ACL information, created and modified time stamp information.
Each Domain is identified by an ID which must be unique across all users in the YARN cluster.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message