hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bibin A Chundatt (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-8028) Support authorizeUserAccessToQueue in RMWebServices
Date Fri, 16 Mar 2018 09:32:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16401663#comment-16401663
] 

Bibin A Chundatt edited comment on YARN-8028 at 3/16/18 9:31 AM:
-----------------------------------------------------------------

[~leftnoteasy]
{code:java}
2544	      return Response.status(Status.BAD_REQUEST).entity(
2545	          "Specified queueAclType=" + queueAclType
2546	              + " is not a valid type, valid queue acl types={"
2547	              + "SUBMIT_APPLICATIONS/ADMINISTER_QUEUE}").build();
{code}
 # Can we use {{BadRequestException}}
{code:java}
	2568	      return Response.status(Status.FORBIDDEN).entity(
2569	          "User=" + username + " doesn't have access to queue=" + queue
2570	              + " with acl-type=" + queueAclType).build();
{code}

 # {{ForbiddenException}} can be used
{code:java}
2535	      LOG.debug("Check user=" + username + " has access to queue=" + queue
2536	          + " ACL_TYPE=" + queueAclType);
{code}

 # I think we shouldnt directly log the params inputs this could cause *log forging*
 # Thoughts on allowing all queue rights similar to {{getQueueUserAcls}} this would allow
in different services to cache acl. In addition we should have notification framework when
queue is refreshed.
 # One improvement could beĀ  instead of querying scheduler we could use {{YarnAuthorizationProvider}}
so that we don't lock scheduler YARN-6727. thoughts??


was (Author: bibinchundatt):
[~leftnoteasy]

{code}
2544	      return Response.status(Status.BAD_REQUEST).entity(
2545	          "Specified queueAclType=" + queueAclType
2546	              + " is not a valid type, valid queue acl types={"
2547	              + "SUBMIT_APPLICATIONS/ADMINISTER_QUEUE}").build();
{code}
# Can we use {{BadRequestException}}
{code}
	2568	      return Response.status(Status.FORBIDDEN).entity(
2569	          "User=" + username + " doesn't have access to queue=" + queue
2570	              + " with acl-type=" + queueAclType).build();
{code}
# {{ForbiddenException}} can be used
{code}
2535	      LOG.debug("Check user=" + username + " has access to queue=" + queue
2536	          + " ACL_TYPE=" + queueAclType);
{code}
# I think we shouldnt directly log the params inputs this could cause *log forging*
# Thoughts on allowing all queue rights similar to {{getQueueUserAcls}} this would allow in
different services to cache acl. In addition we should have notification framework when queue
is refreshed.
# One improvement could be instead be instead of querying scheduler we could use {{YarnAuthorizationProvider}}
so that we don't lock scheduler YARN-6727. thoughts??

> Support authorizeUserAccessToQueue in RMWebServices
> ---------------------------------------------------
>
>                 Key: YARN-8028
>                 URL: https://issues.apache.org/jira/browse/YARN-8028
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Wangda Tan
>            Assignee: Wangda Tan
>            Priority: Major
>         Attachments: YARN-8028.001.patch
>
>
> Currently we have {{QueueUserACLInfo}} in ApplicationClient, we should support similar
API in REST API.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message