[
https://issues.apache.org/jira/browse/TEZ-3328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15366162#comment-15366162
]
Sreenath Somarajapuram edited comment on TEZ-3328 at 8/22/16 10:11 AM:
-----------------------------------------------------------------------
[~hitesh] Following are the UI action-items that I could think of. Are they
correct, and are they complete? Please guide.
# Create a a new TEZ_APP_CONF entity, and load the app configurations page from
the same.
-All entities (DAG, Vertex, Task, Attempts) under an application, must be
requests with an authentication token made from the otherinfo.user value in
TEZ_APPLICATION.-
--I'm not clear what this token should be.-
--For user "a" should it be an extra query param? Something like "user.name=a"-
was (Author: sreenath):
[~hitesh] Following are the UI action-items that I could think of. Are they
correct, and are they complete? Please guide.
# Create a a new TEZ_APP_CONF entity, and load the app configurations page from
the same.
# All entities (DAG, Vertex, Task, Attempts) under an application, must be
requests with an authentication token made from the otherinfo.user value in
TEZ_APPLICATION.
-- I'm not clear what this token should be.
-- For user "a" should it be an extra query param? Something like "user.name=a"
> [Umbrella] UI does not work well when there are separate DAG and
> session-level ACLs
> -----------------------------------------------------------------------------------
>
> Key: TEZ-3328
> URL: https://issues.apache.org/jira/browse/TEZ-3328
> Project: Apache Tez
> Issue Type: Bug
> Reporter: Hitesh Shah
> Assignee: Hitesh Shah
> Priority: Critical
> Attachments: TEZ-3328.wip.patch
>
>
> Currently, when authz systems such as Ranger/Sentry are in place, all hive
> queries run in a tez session owned by user hive. Queries run by end-users say
> user a,b,c, etc have perimeter checks but the yarn containers run as user
> hive.
> In terms of acls, what this means is that the session-level acls are
> restricted to user hive and admins. And then each query ends up with a dag
> specific acl for user a or b or c.
> In Tez impls, this translates to:
> - entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a
> session-specific domain/acl
> - entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific
> ACL.
> If user "a" clicks through the app link from the RM and lands on the app
> details page, the user will not find any dags as the user has no permissions
> to view the tez app entity rendering the UI functionality to be broken.
> \cc [~sseth] [~rajesh.balamohan] [~Sreenath] [~jeagles] [~thejas]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
