[GitHub] [flink] architgyl opened a new pull request, #22509: [FLINK-12869] Add yarn Acls capability to Flink containers

Tue, 02 May 2023 14:59:09 -0700 


architgyl opened a new pull request, #22509:
URL: https://github.com/apache/flink/pull/22509

   ## What is the purpose of the change
   [FLINK-12869](https://issues.apache.org/jira/browse/FLINK-12869)
   This PR provides Yarn application Acl mechanism on Flink containers to be 
able to provide specific rights to users other than the one running the Flink 
application job. This will restrict other users in two ways:
   - view logs through the Resource Manager job history
   - kill the application
   
   ## Brief change log
   Two parameters have been added:
    - `yarn.view.acls`
    - `yarn.modify.acls`
    
   Add these parameter in `flink-conf.yaml`.
   
   ## Verifying this change
   Verified the changes manually by adding the parameters in the 
`flink-conf.yaml` file and running a WordCount job on a Yarn cluster. 
   - Tested `yarn.view.acls` when application in Running state:
       - User submitting the job can view the logs.
       - Another user in the `yarn.view.acls` can view the logs.
       - Another user not in the list of `yarn.view.acls` cannot view the logs.
   **Note**: Logs can be view from the ResourceManager 
(<resourcemanager_url>/cluster/app/<app_id>)
       
   - Tested `yarn.modify.acls` when application in Running state:
       -  User submitting the job can kill the application job.
       - Another user in the `yarn.modify.acls` can kill the application job..
       - Another user not in the list of `yarn.modify.acls` cannot kill the 
application job..
       
   ## Does this pull request potentially affect one of the following parts:
   
   - Dependencies (does it add or upgrade a dependency): no
   - The public API, i.e., is any changed class annotated with 
@Public(Evolving): no
   - The serializers: no
   - The runtime per-record code paths (performance sensitive): no
   - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Yarn/Mesos, - ZooKeeper: Affect acls on YARN 
(currently not managed so no rights can be added)
   - The S3 file system connector: no
   
   ## Documentation
   
     - Does this pull request introduce a new feature? yes
     - If yes, how is the feature documented? docs
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to