[
https://issues.apache.org/jira/browse/YARN-2575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15092467#comment-15092467
]
Sean Po commented on YARN-2575:
-------------------------------
>> When Reservation ACLs are not enabled - in this case, everyone should have
>> access.
This logic is already in place at Line 82 of ReservationsACLsManager.
>> When Reservation ACLs are enabled but not defined - in this case also I
>> think everyone should have access.
Here are my thoughts on this:
If we do implement it, the one problem that I see is that there might be
inconsistencies in behaviour compared to QueueACLs checks because the queue
hierarchy is ignored in ReservationACLs.
For QueueACLs the behaviour is that if the queue is root and if
ADMINISTER_QUEUE acl is not defined on root, then all users will have the
ADMINISTER_QUEUE ACL on the root queue (Line 587
CapacitySchedulerConfiguration). For example: UserA has ADMINISTER_QUEUE ACL on
queue root.QueueA, but not root.QueueB. If the queueACLs on root are not
defined, UserA will also have ADMINISTER_QUEUE ACL on root.QueueB because
QueueACLs checking process recursively looks up the hierarchy.
With ReservationACLs, hierarchy is ignored, so if we made it so that everyone
had ACLs on the queue if the ACL for the queue is not defined, then the UserA
from the example above will have access to only root and root.QueueA.
The good part about implementing this is that when someone is configuring YARN,
they can get started a lot quicker without mucking around with the
configuration. This will make it easier too if there is a team where everyone
needs to make reservations on a particular queue, for example a test queue for
team members to play around with.
What are your thoughts [~subru] and [~asuresh]?
> Consider creating separate ACLs for Reservation create/update/delete/list ops
> -----------------------------------------------------------------------------
>
> Key: YARN-2575
> URL: https://issues.apache.org/jira/browse/YARN-2575
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: capacityscheduler, fairscheduler, resourcemanager
> Reporter: Subru Krishnan
> Assignee: Sean Po
> Attachments: YARN-2575.v1.patch, YARN-2575.v2.1.patch,
> YARN-2575.v2.patch, YARN-2575.v3.patch, YARN-2575.v4.patch
>
>
> YARN-1051 introduces the ReservationSystem and in the current implementation
> anyone who can submit applications can also submit reservations. This JIRA is
> to evaluate creating separate ACLs for Reservation create/update/delete ops.
> Depends on YARN-4340
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
