[jira] [Updated] (SAMZA-1794) setting application acl in launch context for secured YARN cluster

Tue, 31 Jul 2018 15:07:32 -0700 


     [ 
https://issues.apache.org/jira/browse/SAMZA-1794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hai updated SAMZA-1794:
-----------------------
    Description: 
Currently we don't set application acl for container launch context. See 
[https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]

This could potentially cause problem if samza job is running on a secured YARN 
cluster. Say user A submits the job, then by default only user A can view the 
log and the status of the job. Even worse case is that user A submits the job 
through some proxy account, then even user A herself/himself couldn't access to 
logs/status of the application.

We need to make some changes for the YARN application submission to set 
application acls in launch context as configured.

  was:
Currently we don't set application acl for container launch context. See 
[https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]

 

This could potentially cause problem if samza job is running on a secured YARN 
cluster with proxy account.


> setting application acl in launch context for secured YARN cluster
> ------------------------------------------------------------------
>
>                 Key: SAMZA-1794
>                 URL: https://issues.apache.org/jira/browse/SAMZA-1794
>             Project: Samza
>          Issue Type: Improvement
>            Reporter: Hai
>            Assignee: Hai
>            Priority: Major
>
> Currently we don't set application acl for container launch context. See 
> [https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]
> This could potentially cause problem if samza job is running on a secured 
> YARN cluster. Say user A submits the job, then by default only user A can 
> view the log and the status of the job. Even worse case is that user A 
> submits the job through some proxy account, then even user A herself/himself 
> couldn't access to logs/status of the application.
> We need to make some changes for the YARN application submission to set 
> application acls in launch context as configured.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to