[jira] [Commented] (YARN-6842) Implement a new access type for queue

[YunFan Zhou (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-6842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105120#comment-16105120
 ] 

YunFan Zhou commented on YARN-6842:
-----------------------------------

Thank Naganarasimha G R,
In fact, the original intention of the development of this feature was to solve 
the user authentication of RM Web UI. 
The RM Web UI has no user authentication by default. Therefore, all users who 
login RM WEB UI by default are use user Dr. Who (this is a YARN configuration 
decision). 

Before we did not open YARN user authentication (i.e. yarn.acl.enable set to 
false,  yarn.admin.acl is set to * by default), we found that other users can 
also through the RM WEB UI kill other user's application,  which can cause many 
users application failed. 

Therefore, we set the* yarn.acl.enable* to true , and set the *yarn. admin.acl* 
to the administrator account. 
However, there is a problem with this, which is that the *dr. who* (common 
account) is not authorized to view the applications of any queue unless the 
queue's *aclAdministerApps*(for the FairScheduler scenario) is set the user or 
*.

So, the easiest way to solve this problem is to provide a VIEW_APP permissions 
for queue.
And we only authorize user read permissions. 
This allows the user to view the applications of the queue properly, but not 
because the administrator privileges cause unnecessary misoperation to kill 
other users applications. 

So,  I think this feature is very useful to me,  and I think other users will 
have the same scenario. 

> Implement a new access type for queue
> -------------------------------------
>
>                 Key: YARN-6842
>                 URL: https://issues.apache.org/jira/browse/YARN-6842
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: scheduler
>    Affects Versions: 2.8.2
>            Reporter: YunFan Zhou
>            Assignee: YunFan Zhou
>         Attachments: YARN-6842.001.patch, YARN-6842.002.patch, 
> YARN-6842.003.patch
>
>
> When we want to access applications of a queue,  only we can do is become the 
> administer of the queue at present.
> But sometimes we only want  authorize someone view applications of a queue 
> but not modify operation.
> In our current mechanism there isn't any way to meet it, so I will implement 
> a new access type for queue to solve
> this problem.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org