Thanks Yang for review.
1. FLIP-312 relies on Hadoop version 2.6.0 or later. 2. I have updated the FLIP and made it more descriptive. 3. ACLs apply to logs as well as permissions to kill the application. Also, in the PR we are setting ACLs for Task Manager (createTaskExecutorContext) as well as Job Manager (startAppMaster). Thanks, Archit Goyal From: Yang Wang <wangyang0...@apache.org> Date: Sunday, May 21, 2023 at 9:08 PM To: dev@flink.apache.org <dev@flink.apache.org> Subject: Re: [DISCUSS] FLIP-312: Add Yarn ACLs to Flink Containers Thanks for creating this FLIP. This sounds like a useful feature to make the Flink applications running on YARN cluster more securely. However, I think we still miss some important parts in the FLIP. 1. Which hadoop versions this FLIP relies on? 2. We need to describe a bit more about how the YARN ACLs works. 3. Does the ACLs only apply to the logs? How about the Flink JobManager UI? Best, Yang Venkatakrishnan Sowrirajan <vsowr...@asu.edu> 于2023年5月13日周六 08:12写道: > Thanks for the FLIP, Archit. > > +1 from me as well. This would be very useful for us and others in the > community given the same issue was raised earlier as well. > > Regards > Venkata krishnan > > > On Fri, May 12, 2023 at 4:03 PM Becket Qin <becket....@gmail.com> wrote: > > > Thanks for the FLIP, Archit. > > > > The motivation sounds reasonable and it looks like a straightforward > > proposal. +1 from me. > > > > Thanks, > > > > Jiangjie (Becket) Qin > > > > On Fri, May 12, 2023 at 1:30 AM Archit Goyal > <argo...@linkedin.com.invalid > > > > > wrote: > > > > > Hi all, > > > > > > I am opening this thread to discuss the proposal to support Yarn ACLs > to > > > Flink containers which has been documented in FLIP-312 < > > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FFLINK%2FFLIP*312*3A*Add*Yarn*ACLs*to*Flink*Containers__%3BKyUrKysrKys!!IKRxdwAv5BmarQ!bQiA3GX9bFf-w6A9M4Aez7RSMYLdvFtjZnlrOSf6N2nQUFuDdnoJ20uujW8RPY1VbLS9P4AfpnqPmkZZOuQ%24&data=05%7C01%7Cargoyal%40linkedin.com%7C0337240314fb45444f5e08db5a7a277f%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C638203252947441598%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HS6QhFdRGtX7Yp7qCzEB7kOeDyqB0ePhd%2BUy7BAPsY8%3D&reserved=0<https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/FLINK/FLIP*312*3A*Add*Yarn*ACLs*to*Flink*Containers__;KyUrKysrKys!!IKRxdwAv5BmarQ!bQiA3GX9bFf-w6A9M4Aez7RSMYLdvFtjZnlrOSf6N2nQUFuDdnoJ20uujW8RPY1VbLS9P4AfpnqPmkZZOuQ$> > > > >. > > > > > > This FLIP mentions about providing Yarn application ACL mechanism on > > Flink > > > containers to be able to provide specific rights to users other than > the > > > one running the Flink application job. This will restrict other users > in > > > two ways: > > > > > > * view logs through the Resource Manager job history > > > * kill the application > > > > > > Please feel free to reply to this email thread and share your opinions. > > > > > > Thanks, > > > Archit Goyal > > > > > > > > >
