[jira] [Commented] (TEZ-3328) [Umbrella] UI does not work well when there are separate DAG and session-level ACLs

Wed, 06 Jul 2016 19:56:47 -0700 

    [ 
https://issues.apache.org/jira/browse/TEZ-3328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15365521#comment-15365521
 ] 

Hitesh Shah commented on TEZ-3328:
----------------------------------

One proposal that I have is to do the following:
   - create a new entity called TEZ_APP_CONF which will store APP level 
configs. This entity will be protected by the session level acls
   - make TEZ_APP, TEZ_APP_ATTEMPT, TEZ_CONTAINER  to use the default config 
i.e. allow all users. But at the same time ensuring that there is no sensitive 
data being stored in these entities. The only info stored would be basic info 
like ids, start times, user info, etc. Hence the need to split out configs into 
a separate entity.

Comments?

> [Umbrella] UI does not work well when there are separate DAG and 
> session-level ACLs
> -----------------------------------------------------------------------------------
>
>                 Key: TEZ-3328
>                 URL: https://issues.apache.org/jira/browse/TEZ-3328
>             Project: Apache Tez
>          Issue Type: Bug
>            Reporter: Hitesh Shah
>            Assignee: Hitesh Shah
>            Priority: Critical
>
> Currently, when authz systems such as Ranger/Sentry are in place, all hive 
> queries run in a tez session owned by user hive. Queries run by end-users say 
> user a,b,c, etc have perimeter checks but the yarn containers run as user 
> hive. 
> In terms of acls, what this means is that the session-level acls are 
> restricted to user hive and admins. And then each query ends up with a dag 
> specific acl for user a or b or c. 
> In Tez impls, this translates to: 
>   - entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a 
> session-specific domain/acl
>   - entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific 
> ACL. 
> If user "a" clicks through the app link from the RM and lands on the app 
> details page, the user will not find any dags as the user has no permissions 
> to view the tez app entity rendering the UI functionality to be broken.
> \cc [~sseth] [~rajesh.balamohan] [~Sreenath] [~jeagles] [~thejas]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to