Hitesh Shah created TEZ-3328:
--------------------------------
Summary: [Umbrella] UI does not work well when there are separate
DAG and session-level ACLs
Key: TEZ-3328
URL: https://issues.apache.org/jira/browse/TEZ-3328
Project: Apache Tez
Issue Type: Bug
Reporter: Hitesh Shah
Assignee: Hitesh Shah
Priority: Critical
Currently, when authz systems such as Ranger/Sentry are in place, all hive
queries run in a tez session owned by user hive. Queries run by end-users say
user a,b,c, etc have perimeter checks but the yarn containers run as user hive.
In terms of acls, what this means is that the session-level acls are restricted
to user hive and admins. And then each query ends up with a dag specific acl
for user a or b or c.
In Tez impls, this translates to:
- entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a session-specific
domain/acl
- entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific
ACL.
If user "a" clicks through the app link from the RM and lands on the app
details page, the user will not find any dags as the user has no permissions to
view the tez app entity rendering the UI functionality to be broken.
\cc [~sseth] [~rajesh.balamohan] [~Sreenath] [~jeagles] [~thejas]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
