[jira] [Commented] (YARN-9039) App ACLs are not validated when serving logs from Logs CLI/Yarn UI2

Wed, 28 Nov 2018 07:55:16 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-9039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16702059#comment-16702059
 ] 

Suma Shivaprasad commented on YARN-9039:
----------------------------------------

Thanks [~bibinchundatt] for your suggestions. Unfortunately the Cloud Storage 
ACLs are a bit more complicated than that.

User specific folder access control could work if only a single user needs 
access to the folder. But gets cumbersome when implementing application 
specific acls on the  logs objects stored under that folder i.e granting access 
to other users to read the logs 

- There are limits on the size of bucket/IAM policies - 
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/.

- Having a bucket per user also has limitations due to the 100 buckets per 
account limits in S3.

In the long term, there are couple of options to address this
- Logs CLI talks to Log Webservice instead of talking to storage directly and 
only yarn user has access to write/read from the log aggregation storage 
bucket. Can track this effort in a separate jira to fix the issue of YARN CLI 
imposing ACLs
 - All FileSystem calls go through a FS proxy which can authorize storage ACLs 
via an Authorization framework like Apache Ranger

In the current jira, we could address the issue of ATSv2 LogWebservice not 
checking ACLs while serving logs through REST/UI and I could upload a patch for 
the same

Makes sense?






> App ACLs are not validated when serving logs from Logs CLI/Yarn UI2
> -------------------------------------------------------------------
>
>                 Key: YARN-9039
>                 URL: https://issues.apache.org/jira/browse/YARN-9039
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: log-aggregation
>            Reporter: Suma Shivaprasad
>            Assignee: Suma Shivaprasad
>            Priority: Critical
>         Attachments: YARN-9039.1.patch, YARN-9039.2.patch
>
>
> App Acls are not being validated when serving logs through YARN CLI. 
> This also applies while serving logs through YARN UIV2 through ATSV2 Log 
> Webservice



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to