[
https://issues.apache.org/jira/browse/TEZ-3328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15435550#comment-15435550
]
Sreenath Somarajapuram edited comment on TEZ-3328 at 8/24/16 8:01 PM:
----------------------------------------------------------------------
bq. You can file a bug for it if needed
Have created YARN-5558
bq. clarify how you would implement this
On loading app details page, send a request to
<ats-address>/ws/v1/timeline/TEZ_APPLICATION/tez_<app-id>
- If it succeed, display the details page as we do now.
- If it fails, send a request to
<ats-address>/ws/v1/timeline/TEZ_DAG_ID?primaryFilter=applicationId%3A<app-id>
-- If it succeed, then we know that DAGs under the app are available and assume
that the user doesn't have permission to access app level data.
--- So display a message in app details tab, something like "Data is not
available. Check if you are authorized to access application data!".
--- If AHS is accessible, display application data from there in the details
page.
--- Also display the DAGs tab, for the user to see DAGs under that app.
-- If it fails, display error message as we do now.
Please let me know if there is a hole in this design. This is what I meant by
"If app is not available in ATS but DAG is..."
was (Author: sreenath):
bq. You can file a bug for it if needed
Have created YARN-5558
bq. clarify how you would implement this
On loading app details page, send a request to
<ats-address>/ws/v1/timeline/TEZ_APPLICATION/tez_<app-id>
- If it succeed, display the details page as we do now.
- If it fails, send a request to
<ats-address>/ws/v1/timeline/TEZ_DAG_ID?primaryFilter=applicationId%3A<app-id>
-- If it succeed, then we know that DAGs under the app are available and assume
that the user doesn't have permission to access app level data.
--- So display a message in app details tab, something like "Application data
is not available".
--- If AHS is accessible, display application data from there in the details
page.
--- Also display the DAGs tab, for the user to see DAGs under that app.
-- If it fails, display error message as we do now.
Please let me know if there is a hole in this design. This is what I meant by
"If app is not available in ATS but DAG is..."
> [Umbrella] UI does not work well when there are separate DAG and
> session-level ACLs
> -----------------------------------------------------------------------------------
>
> Key: TEZ-3328
> URL: https://issues.apache.org/jira/browse/TEZ-3328
> Project: Apache Tez
> Issue Type: Bug
> Reporter: Hitesh Shah
> Assignee: Hitesh Shah
> Priority: Critical
> Attachments: TEZ-3328.wip.patch
>
>
> Currently, when authz systems such as Ranger/Sentry are in place, all hive
> queries run in a tez session owned by user hive. Queries run by end-users say
> user a,b,c, etc have perimeter checks but the yarn containers run as user
> hive.
> In terms of acls, what this means is that the session-level acls are
> restricted to user hive and admins. And then each query ends up with a dag
> specific acl for user a or b or c.
> In Tez impls, this translates to:
> - entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a
> session-specific domain/acl
> - entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific
> ACL.
> If user "a" clicks through the app link from the RM and lands on the app
> details page, the user will not find any dags as the user has no permissions
> to view the tez app entity rendering the UI functionality to be broken.
> \cc [~sseth] [~rajesh.balamohan] [~Sreenath] [~jeagles] [~thejas]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
