[jira] [Commented] (YARN-3100) Make YARN authorization pluggable

Wed, 04 Feb 2015 15:03:59 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14306177#comment-14306177
 ] 

Chris Douglas commented on YARN-3100:
-------------------------------------

[~aw], have you read through the patch? What it implements looks like a pretty 
straightfoward application of the common ACL libraries to queues and 
applications. It just routes some of the YARN checks to a configurable 
component. Is there functionality implemented in the common libs that's not 
being used?

A few quick questions:
* What is the behavior of {{refreshQueues}}? It looks like the provider class 
remains fixed (should it throw an exception if the class in the conf doesn't 
match the singleton?), but every queue's ACLs get reset from the config. The 
refresh isn't transactional, though... if it fails partway through, the ACLs 
could be partially refreshed in the provider. Is that correct? If the provider 
is {{Configurable}}, then it also doesn't get reconfigured, as it will return 
the singleton from the first call to {{getInstance()}}
* Could we avoid pluggable implementations with a {{Default\*}} class? A 
descriptive name is easier to change and... well, descriptive.
* {{PrivilegedEntity}} is an odd class. Would it be possible to expand on its 
definition in the javadoc, and (as a public class) add annotations for its 
intended audience (HADOOP-5073)?


> Make YARN authorization pluggable
> ---------------------------------
>
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch
>
>
> The goal is to have YARN acl model pluggable so as to integrate other 
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current 
> implementation will be the default implementation. Ranger or Sentry plug-in 
> can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of 
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager, 
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to