[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
[ https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13861051#comment-13861051 ] Sandy Ryza commented on YARN-1539: -- Verified that the Fair Scheduler has the same behavior. Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy. -- Key: YARN-1539 URL: https://issues.apache.org/jira/browse/YARN-1539 Project: Hadoop YARN Issue Type: Sub-task Reporter: Vinod Kumar Vavilapalli Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if one has to be able to administer a queue, he/she should be an admin of all the queues in the ancestry - an unnecessary burden. This was added in YARN-899 and I believe is wrong semantics as well as implementation. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
[ https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13857050#comment-13857050 ] Sandy Ryza commented on YARN-1539: -- My understanding was that the way that both submit and admin work is that: to have access to a queue, you need to be in its access control list OR in the access control list of any of its ancestors. Where is the unnecessary burden? Also, would this not be an incompatible change? {code} @Override public boolean hasAccess(QueueACL acl, UserGroupInformation user) { synchronized (this) { if (acls.get(acl).isUserAllowed(user)) { return true; } } if (parent != null) { return parent.hasAccess(acl, user); } return false; } {code} Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy. -- Key: YARN-1539 URL: https://issues.apache.org/jira/browse/YARN-1539 Project: Hadoop YARN Issue Type: Bug Reporter: Vinod Kumar Vavilapalli Priority: Critical Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if one has to be able to administer a queue, he/she should be an admin of all the queues in the ancestry - an unnecessary burden. This was added in YARN-899 and I believe is wrong semantics as well as implementation. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
[ https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13857064#comment-13857064 ] Vinod Kumar Vavilapalli commented on YARN-1539: --- bq. you need to be in its access control list OR in the access control list of any of its ancestors. It is AND not OR in Capacity-Scheduler. And that makes sense for submit-acls. You need to have permissions to submit to a parent-queue, child-queue, leaf queue etc. But not for admin ACLs. Seems like that is different for FairScheduler. All the more we should fix this to be consistent. FairScheduler should also change w.r.t submit-acls. Yes, this would be an incompatible change, but don't know of a solution otherwise. I found this a while back ([here|https://issues.apache.org/jira/browse/YARN-899?focusedCommentId=13781287page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13781287]) but failed to file the ticket and fix it in time. Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy. -- Key: YARN-1539 URL: https://issues.apache.org/jira/browse/YARN-1539 Project: Hadoop YARN Issue Type: Bug Reporter: Vinod Kumar Vavilapalli Priority: Critical Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if one has to be able to administer a queue, he/she should be an admin of all the queues in the ancestry - an unnecessary burden. This was added in YARN-899 and I believe is wrong semantics as well as implementation. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (YARN-1539) Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy.
[ https://issues.apache.org/jira/browse/YARN-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13857074#comment-13857074 ] Sandy Ryza commented on YARN-1539: -- The code I posted above is from the Capacity Scheduler. It looks like OR to me. The Fair Scheduler has slightly different code, but we took the semantics from this. Am I missing something? Queue admin ACLs should NOT be similar to submit-acls w.r.t hierarchy. -- Key: YARN-1539 URL: https://issues.apache.org/jira/browse/YARN-1539 Project: Hadoop YARN Issue Type: Sub-task Reporter: Vinod Kumar Vavilapalli Priority: Critical Today, Queue admin ACLs are similar to submit-acls w.r.t hierarchy in that if one has to be able to administer a queue, he/she should be an admin of all the queues in the ancestry - an unnecessary burden. This was added in YARN-899 and I believe is wrong semantics as well as implementation. -- This message was sent by Atlassian JIRA (v6.1.5#6160)