[jira] [Commented] (YARN-3100) Make YARN authorization pluggable

Thu, 05 Feb 2015 19:45:50 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14308559#comment-14308559
 ] 

Chris Douglas commented on YARN-3100:
-------------------------------------

bq. I agree with you that if construction of Q' fails, we possibly get a mix of 
Q' and Q ACLs, which happens in the existing code.

I think the existing code doesn't have this property. ACLs 
[parsed|https://git1-us-west.apache.org/repos/asf?p=hadoop.git;a=blob;f=hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java;h=c1432101510b30cab5979223c4a52b813cfc7aee;hb=HEAD#l156]
 from the config are stored in a [member 
field|https://git1-us-west.apache.org/repos/asf?p=hadoop.git;a=blob;f=hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java;h=e4c26658b0bf5301892ce7c618402ece3a6ea360;hb=HEAD#l273].
 If construction fails, those ACLs aren't installed. The patch moves 
enforcement to the authorizer:
{noformat}
   public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
     synchronized (this) {
-      if (acls.get(acl).isUserAllowed(user)) {
+      if (authorizer.checkPermission(toAccessType(acl), queueEntity, user)) {
         return true;
       }
     }
{noformat}
Which is updated during construction of the replacement queue hierarchy.

> Make YARN authorization pluggable
> ---------------------------------
>
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch
>
>
> The goal is to have YARN acl model pluggable so as to integrate other 
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current 
> implementation will be the default implementation. Ranger or Sentry plug-in 
> can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of 
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager, 
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to