hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vrushali C (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-3895) Support ACLs in ATSv2
Date Fri, 12 Jan 2018 00:59:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323324#comment-16323324

Vrushali C commented on YARN-3895:

We had a discussion today and wanted to summarize some points (most might be repeated from
conversations above):

- we will use Application ACLs for getting the user & group information while writing
the entities.
- this will be stored in hbase within each cell as part of it's cell tags
- each time a query for reading this data comes in, we will use the user ACLs at the hbase
region server in a coprocessor to determine if the user is allowed to read this data or not.

- admin users are always allowed to read all data
- this would imply coprocessors on each table

[~jlowe] what do you think about this approach for read side authorization? 

This does not make use of any domain concept (as in v1.5). This is along the lines of security
in yarn via ACLs. 

This should also work in the case of AM running as one user but executing DAGs as other users.
The callerUGI during the write entity in such situations will have both users (AM user and
doAs user) and we will store both. So, at ready time, query by AM user as well as the doAs
user will be allowed for this data. Also any other user who is part of that group should be
able read it. 

At the backend side, there is the thing about storing this info per cell in hbase. It is a
lot of repeated information.  IIUC, hbase security and visibility labels work with the same
logic but in that case, hbase admin commands are used to grant permissions to specific hbase
users/labels.  I will think over if we can optimize how many times this is stored per Column

> Support ACLs in ATSv2
> ---------------------
>                 Key: YARN-3895
>                 URL: https://issues.apache.org/jira/browse/YARN-3895
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>    Affects Versions: YARN-2928
>            Reporter: Varun Saxena
>            Assignee: Varun Saxena
>              Labels: YARN-5355
> This JIRA is to keep track of authorization support design discussions for both readers
and collectors. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message