[jira] [Commented] (TEZ-3328) [Umbrella] UI does not work well when there are separate DAG and session-level ACLs

Wed, 24 Aug 2016 07:41:58 -0700 

    [ 
https://issues.apache.org/jira/browse/TEZ-3328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15435031#comment-15435031
 ] 

Sreenath Somarajapuram commented on TEZ-3328:
---------------------------------------------

bq. The question would be how to figure out that the user does not have 
permissions?
If app is not available in ATS but DAG is, then is it reasonable to assume that 
the user doesn't have permission at app level and display the respective 
message in app details page?

bq. To be clear, if the user is viewing the app details, what dags would you 
consider checking for and how would you go about it?
- Not sure if I fully understand the question.
- With just DAG level permission, the user would be able to use filters and get 
the DAGs under the application from ATS. We can display the DAGs tab with that 
info.

PS: It would be great if ATS, RM etc can return status 401(Unauthorized), 
instead of 404 (Not Found), when ACL fails.

> [Umbrella] UI does not work well when there are separate DAG and 
> session-level ACLs
> -----------------------------------------------------------------------------------
>
>                 Key: TEZ-3328
>                 URL: https://issues.apache.org/jira/browse/TEZ-3328
>             Project: Apache Tez
>          Issue Type: Bug
>            Reporter: Hitesh Shah
>            Assignee: Hitesh Shah
>            Priority: Critical
>         Attachments: TEZ-3328.wip.patch
>
>
> Currently, when authz systems such as Ranger/Sentry are in place, all hive 
> queries run in a tez session owned by user hive. Queries run by end-users say 
> user a,b,c, etc have perimeter checks but the yarn containers run as user 
> hive. 
> In terms of acls, what this means is that the session-level acls are 
> restricted to user hive and admins. And then each query ends up with a dag 
> specific acl for user a or b or c. 
> In Tez impls, this translates to: 
>   - entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a 
> session-specific domain/acl
>   - entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific 
> ACL. 
> If user "a" clicks through the app link from the RM and lands on the app 
> details page, the user will not find any dags as the user has no permissions 
> to view the tez app entity rendering the UI functionality to be broken.
> \cc [~sseth] [~rajesh.balamohan] [~Sreenath] [~jeagles] [~thejas]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to