[
https://issues.apache.org/jira/browse/TEZ-3328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15436629#comment-15436629
]
Sreenath Somarajapuram commented on TEZ-3328:
---------------------------------------------
Thanks [~hitesh]
Created TEZ-3419 for implementing the above logic.
> [Umbrella] UI does not work well when there are separate DAG and
> session-level ACLs
> -----------------------------------------------------------------------------------
>
> Key: TEZ-3328
> URL: https://issues.apache.org/jira/browse/TEZ-3328
> Project: Apache Tez
> Issue Type: Bug
> Reporter: Hitesh Shah
> Assignee: Hitesh Shah
> Priority: Critical
> Attachments: TEZ-3328.wip.patch
>
>
> Currently, when authz systems such as Ranger/Sentry are in place, all hive
> queries run in a tez session owned by user hive. Queries run by end-users say
> user a,b,c, etc have perimeter checks but the yarn containers run as user
> hive.
> In terms of acls, what this means is that the session-level acls are
> restricted to user hive and admins. And then each query ends up with a dag
> specific acl for user a or b or c.
> In Tez impls, this translates to:
> - entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a
> session-specific domain/acl
> - entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific
> ACL.
> If user "a" clicks through the app link from the RM and lands on the app
> details page, the user will not find any dags as the user has no permissions
> to view the tez app entity rendering the UI functionality to be broken.
> \cc [~sseth] [~rajesh.balamohan] [~Sreenath] [~jeagles] [~thejas]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
