[ https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16323324#comment-16323324 ]
Vrushali C commented on YARN-3895: ---------------------------------- We had a discussion today and wanted to summarize some points (most might be repeated from conversations above): - we will use Application ACLs for getting the user & group information while writing the entities. - this will be stored in hbase within each cell as part of it's cell tags - each time a query for reading this data comes in, we will use the user ACLs at the hbase region server in a coprocessor to determine if the user is allowed to read this data or not. - admin users are always allowed to read all data - this would imply coprocessors on each table [~jlowe] what do you think about this approach for read side authorization? This does not make use of any domain concept (as in v1.5). This is along the lines of security in yarn via ACLs. This should also work in the case of AM running as one user but executing DAGs as other users. The callerUGI during the write entity in such situations will have both users (AM user and doAs user) and we will store both. So, at ready time, query by AM user as well as the doAs user will be allowed for this data. Also any other user who is part of that group should be able read it. At the backend side, there is the thing about storing this info per cell in hbase. It is a lot of repeated information. IIUC, hbase security and visibility labels work with the same logic but in that case, hbase admin commands are used to grant permissions to specific hbase users/labels. I will think over if we can optimize how many times this is stored per Column Family. > Support ACLs in ATSv2 > --------------------- > > Key: YARN-3895 > URL: https://issues.apache.org/jira/browse/YARN-3895 > Project: Hadoop YARN > Issue Type: Sub-task > Components: timelineserver > Affects Versions: YARN-2928 > Reporter: Varun Saxena > Assignee: Varun Saxena > Labels: YARN-5355 > > This JIRA is to keep track of authorization support design discussions for > both readers and collectors. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org