[jira] [Commented] (YARN-3895) Support ACLs in ATSv2

Thu, 11 Jan 2018 16:59:23 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323324#comment-16323324
 ] 

Vrushali C commented on YARN-3895:
----------------------------------

We had a discussion today and wanted to summarize some points (most might be 
repeated from conversations above):

- we will use Application ACLs for getting the user & group information while 
writing the entities.
- this will be stored in hbase within each cell as part of it's cell tags
- each time a query for reading this data comes in, we will use the user ACLs 
at the hbase region server in a coprocessor to determine if the user is allowed 
to read this data or not. 
- admin users are always allowed to read all data
- this would imply coprocessors on each table

[~jlowe] what do you think about this approach for read side authorization? 

This does not make use of any domain concept (as in v1.5). This is along the 
lines of security in yarn via ACLs. 

This should also work in the case of AM running as one user but executing DAGs 
as other users. The callerUGI during the write entity in such situations will 
have both users (AM user and doAs user) and we will store both. So, at ready 
time, query by AM user as well as the doAs user will be allowed for this data. 
Also any other user who is part of that group should be able read it. 

At the backend side, there is the thing about storing this info per cell in 
hbase. It is a lot of repeated information.  IIUC, hbase security and 
visibility labels work with the same logic but in that case, hbase admin 
commands are used to grant permissions to specific hbase users/labels.  I will 
think over if we can optimize how many times this is stored per Column Family. 


> Support ACLs in ATSv2
> ---------------------
>
>                 Key: YARN-3895
>                 URL: https://issues.apache.org/jira/browse/YARN-3895
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>    Affects Versions: YARN-2928
>            Reporter: Varun Saxena
>            Assignee: Varun Saxena
>              Labels: YARN-5355
>
> This JIRA is to keep track of authorization support design discussions for 
> both readers and collectors. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to