[ https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321429#comment-16321429 ]
Vrushali C commented on YARN-3895: ---------------------------------- Hello [~rohithsharma] [~varun_saxena] [~haibo.chen] I was thinking a little bit about ACLs and read side authorization. I have some thoughts and wanted to share them. Everything is not fully hashed out perfectly but I think this might work. When the data is written, at that time, we can use hbase cell tags to store the allowed users as well as groups. Just like we are storing things right now for flow run, we will do the same for entities and applications & subapps. While querying, we can pass in the querying user/group info via “Attributes” in the Get/Scan. This can be accessed in the coprocessor via “getAttributes” of the Get/Scan. Then the coprocessor checks if current user who is querying is equal to allowed user or if the current group is part of allowed groups list in the cell tags. We can default to read allowed for all if no tags are present. Also, we could indicate that the user who is querying is a yarn_admin user, so allow all reads. This should work for all our regular tables like entity, application as well as sub-application. For sub app table, we store AM user as well as do-As user (and their groups) in the cell tags. So at query time, we can see if the querying user is one of AM user or doAs user. That way we protect the data from other users even if they run with the same AM user. For the flow run table, we can perhaps do a union or something across all entries. I am still thinking over it. Here is an old thread in the hbase-users mailing list in which James Taylor from Phoenix has also mentioned that Phoenix is (or at least was) doing the same thing https://mail-archives.apache.org/mod_mbox/hbase-user/201302.mbox/browser We can later check with the HBase folks if this much extra data in the cell tags could be a concern but my gut feeling is that it’s not. Cell tags are used by hbase security as well as Phoenix for passing around information and making decisions at server side. > Support ACLs in ATSv2 > --------------------- > > Key: YARN-3895 > URL: https://issues.apache.org/jira/browse/YARN-3895 > Project: Hadoop YARN > Issue Type: Sub-task > Components: timelineserver > Affects Versions: YARN-2928 > Reporter: Varun Saxena > Assignee: Varun Saxena > Labels: YARN-5355 > > This JIRA is to keep track of authorization support design discussions for > both readers and collectors. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org