[ https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14306177#comment-14306177 ]
Chris Douglas commented on YARN-3100: ------------------------------------- [~aw], have you read through the patch? What it implements looks like a pretty straightfoward application of the common ACL libraries to queues and applications. It just routes some of the YARN checks to a configurable component. Is there functionality implemented in the common libs that's not being used? A few quick questions: * What is the behavior of {{refreshQueues}}? It looks like the provider class remains fixed (should it throw an exception if the class in the conf doesn't match the singleton?), but every queue's ACLs get reset from the config. The refresh isn't transactional, though... if it fails partway through, the ACLs could be partially refreshed in the provider. Is that correct? If the provider is {{Configurable}}, then it also doesn't get reconfigured, as it will return the singleton from the first call to {{getInstance()}} * Could we avoid pluggable implementations with a {{Default\*}} class? A descriptive name is easier to change and... well, descriptive. * {{PrivilegedEntity}} is an odd class. Would it be possible to expand on its definition in the javadoc, and (as a public class) add annotations for its intended audience (HADOOP-5073)? > Make YARN authorization pluggable > --------------------------------- > > Key: YARN-3100 > URL: https://issues.apache.org/jira/browse/YARN-3100 > Project: Hadoop YARN > Issue Type: Bug > Reporter: Jian He > Assignee: Jian He > Attachments: YARN-3100.1.patch, YARN-3100.2.patch > > > The goal is to have YARN acl model pluggable so as to integrate other > authorization tool such as Apache Ranger, Sentry. > Currently, we have > - admin ACL > - queue ACL > - application ACL > - time line domain ACL > - service ACL > The proposal is to create a YarnAuthorizationProvider interface. Current > implementation will be the default implementation. Ranger or Sentry plug-in > can implement this interface. > Benefit: > - Unify the code base. With the default implementation, we can get rid of > each specific ACL manager such as AdminAclManager, ApplicationACLsManager, > QueueAclsManager etc. > - Enable Ranger, Sentry to do authorization for YARN. -- This message was sent by Atlassian JIRA (v6.3.4#6332)