[
https://issues.apache.org/jira/browse/OOZIE-2897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218455#comment-16218455
]
Peter Bacsko commented on OOZIE-2897:
-------------------------------------
I attached the first version of the change.
Note that in order to test the ACL feature, I had to do the following:
* set Fair Scheduler explicitly in {{XTestCase}}
* define queue allocation policies so that only "test" has admin privileges
The second point is important - if this is not set, all users are considered
admin and application ACLs have no real effect because it's possible for anyone
to kill a running applications in the cluster.
When checking permissions, both queue and application ACLs are taken into
account:
https://github.com/apache/hadoop/blob/921338cd86e7215b0c4b1efdf2daf9449fb12c7b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java#L326-L330
I think it's important to mention this in the new documentation.
> LauncherAM should support ACLs
> ------------------------------
>
> Key: OOZIE-2897
> URL: https://issues.apache.org/jira/browse/OOZIE-2897
> Project: Oozie
> Issue Type: Sub-task
> Affects Versions: 5.0.0
> Reporter: Peter Bacsko
> Assignee: Peter Bacsko
> Priority: Blocker
> Fix For: 5.0.0
>
> Attachments: OOZIE-2897-001.patch
>
>
> In MapReduce, you can define ACL-related properties:
> {noformat}
> mapreduce.job.acl-view-job
> mapreduce.job.acl-modify-job
> {noformat}
> {{acl-view-job}} defines a list of users/groups who can retrieve the job
> statistics. {{acl-modify-job}} defines a list of users/groups who can kill a
> job or adjust the priority of it.
> Docs:
> https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html#Job+Authorization
> In YARN, we can provide backward compatibility for these properties. Example
> code:
> {code}
> Map<ApplicationAccessType, String> acls = new HashMap<ApplicationAccessType,
> String>();
> acls.put(ApplicationAccessType.MODIFY_APP, "*");
> acls.put(ApplicationAccessType.VIEW_APP, "*");
> amContainer.setApplicationACLs(acls);
> {code}
> This has to be done before application submission. We have to do what
> YARNRunner.java does:
> https://github.com/apache/hadoop/blob/3721cfe1fbd98c5b6aa46aefdfcf62276c28c4a4/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/YARNRunner.java#L502-L507
>
> We should also ensure the compatibility with the properties of:
> mapreduce.job.acl-view-job
> mapreduce.job.acl-modfy-job
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
