[
https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16321429#comment-16321429
]
Vrushali C commented on YARN-3895:
----------------------------------
Hello [~rohithsharma] [~varun_saxena] [~haibo.chen]
I was thinking a little bit about ACLs and read side authorization. I have some
thoughts and wanted to share them. Everything is not fully hashed out perfectly
but I think this might work.
When the data is written, at that time, we can use hbase cell tags to store the
allowed users as well as groups. Just like we are storing things right now for
flow run, we will do the same for entities and applications & subapps.
While querying, we can pass in the querying user/group info via “Attributes” in
the Get/Scan. This can be accessed in the coprocessor via “getAttributes” of
the Get/Scan. Then the coprocessor checks if current user who is querying is
equal to allowed user or if the current group is part of allowed groups list in
the cell tags.
We can default to read allowed for all if no tags are present. Also, we could
indicate that the user who is querying is a yarn_admin user, so allow all
reads.
This should work for all our regular tables like entity, application as well as
sub-application.
For sub app table, we store AM user as well as do-As user (and their groups) in
the cell tags. So at query time, we can see if the querying user is one of AM
user or doAs user. That way we protect the data from other users even if they
run with the same AM user.
For the flow run table, we can perhaps do a union or something across all
entries. I am still thinking over it.
Here is an old thread in the hbase-users mailing list in which James Taylor
from Phoenix has also mentioned that Phoenix is (or at least was) doing the
same thing
https://mail-archives.apache.org/mod_mbox/hbase-user/201302.mbox/browser
We can later check with the HBase folks if this much extra data in the cell
tags could be a concern but my gut feeling is that it’s not. Cell tags are used
by hbase security as well as Phoenix for passing around information and making
decisions at server side.
> Support ACLs in ATSv2
> ---------------------
>
> Key: YARN-3895
> URL: https://issues.apache.org/jira/browse/YARN-3895
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Affects Versions: YARN-2928
> Reporter: Varun Saxena
> Assignee: Varun Saxena
> Labels: YARN-5355
>
> This JIRA is to keep track of authorization support design discussions for
> both readers and collectors.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
