[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.

2014-01-02 Thread Sandy Ryza (JIRA) 

[ 
https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13861051#comment-13861051
 ] 

Sandy Ryza commented on YARN-1539:
--

Verified that the Fair Scheduler has the same behavior.

 Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
 --

 Key: YARN-1539
 URL: https://issues.apache.org/jira/browse/YARN-1539
 Project: Hadoop YARN
  Issue Type: Sub-task
Reporter: Vinod Kumar Vavilapalli

 Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if 
 one has to be able to administer a queue, he/she should be an admin of all 
 the queues in the ancestry - an unnecessary burden.
 This was added in YARN-899 and I believe is wrong semantics as well as 
 implementation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.

2013-12-26 Thread Sandy Ryza (JIRA) 

[ 
https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13857050#comment-13857050
 ] 

Sandy Ryza commented on YARN-1539:
--

My understanding was that the way that both submit and admin work is that: to 
have access to a queue, you need to be in its access control list OR in the 
access control list of any of its ancestors.  Where is the unnecessary burden?  
Also, would this not be an incompatible change?

{code}
  @Override
  public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
synchronized (this) {
  if (acls.get(acl).isUserAllowed(user)) {
return true;
  }
}

if (parent != null) {
  return parent.hasAccess(acl, user);
}

return false;
  }
{code}

 Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
 --

 Key: YARN-1539
 URL: https://issues.apache.org/jira/browse/YARN-1539
 Project: Hadoop YARN
  Issue Type: Bug
Reporter: Vinod Kumar Vavilapalli
Priority: Critical

 Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if 
 one has to be able to administer a queue, he/she should be an admin of all 
 the queues in the ancestry - an unnecessary burden.
 This was added in YARN-899 and I believe is wrong semantics as well as 
 implementation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.

2013-12-26 Thread Vinod Kumar Vavilapalli (JIRA) 

[ 
https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13857064#comment-13857064
 ] 

Vinod Kumar Vavilapalli commented on YARN-1539:
---

bq. you need to be in its access control list OR in the access control list of 
any of its ancestors.
It is AND not OR in Capacity-Scheduler. And that makes sense for submit-acls. 
You need to have permissions to submit to a parent-queue, child-queue, leaf 
queue etc. But not for admin ACLs.

Seems like that is different for FairScheduler. All the more we should fix this 
to be consistent. FairScheduler should also change w.r.t submit-acls.

Yes, this would be an incompatible change, but don't know of a solution 
otherwise. I found this a while back 
([here|https://issues.apache.org/jira/browse/YARN-899?focusedCommentId=13781287page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13781287])
 but failed to file the ticket and fix it in time.

 Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
 --

 Key: YARN-1539
 URL: https://issues.apache.org/jira/browse/YARN-1539
 Project: Hadoop YARN
  Issue Type: Bug
Reporter: Vinod Kumar Vavilapalli
Priority: Critical

 Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if 
 one has to be able to administer a queue, he/she should be an admin of all 
 the queues in the ancestry - an unnecessary burden.
 This was added in YARN-899 and I believe is wrong semantics as well as 
 implementation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.

2013-12-26 Thread Sandy Ryza (JIRA) 

[ 
https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13857074#comment-13857074
 ] 

Sandy Ryza commented on YARN-1539:
--

The code I posted above is from the Capacity Scheduler.  It looks like OR to 
me.  The Fair Scheduler has slightly different code, but we took the semantics 
from this.  Am I missing something?

 Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
 --

 Key: YARN-1539
 URL: https://issues.apache.org/jira/browse/YARN-1539
 Project: Hadoop YARN
  Issue Type: Sub-task
Reporter: Vinod Kumar Vavilapalli
Priority: Critical

 Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if 
 one has to be able to administer a queue, he/she should be an admin of all 
 the queues in the ancestry - an unnecessary burden.
 This was added in YARN-899 and I believe is wrong semantics as well as 
 implementation.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)