[jira] [Commented] (YARN-2390) Investigating whehther generic history service needs to support queue-acls
[ https://issues.apache.org/jira/browse/YARN-2390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14100724#comment-14100724 ] Sunil G commented on YARN-2390: --- Hi [~zjshen] bq. is the right fix to be correcting the ACLs on RM side? +1. Yes, I also feel it will be better if we remove the ACL checks for those apps which are completed from RM side. If the rmApp state is not *FinalApplicationStatus.UNDEFINED*, such applications must have been moved to FAILED/SUCCEEDED/KILLED. queue ACLs for such applications need not have to be checked. *ClientRMService#checkAccess* can be modified with this change. If this approach is fine, I would like to take over this JIRA. Kindly let me know your suggestion. Investigating whehther generic history service needs to support queue-acls -- Key: YARN-2390 URL: https://issues.apache.org/jira/browse/YARN-2390 Project: Hadoop YARN Issue Type: Sub-task Reporter: Zhijie Shen According YARN-1250, it's arguable whether queue-acls should be applied to the generic history service as well, because the queue admin may not need the access to the completed application that is removed from the queue. Create this ticket to tackle the discussion around. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (YARN-2390) Investigating whehther generic history service needs to support queue-acls
[ https://issues.apache.org/jira/browse/YARN-2390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14100880#comment-14100880 ] Zhijie Shen commented on YARN-2390: --- [~sunilg], please feel free to assign the ticket to youself. bq. If the rmApp state is not FinalApplicationStatus.UNDEFINED, Is this check necessary? The application can do unregistration without specifying FinalApplicationStatus. I'm not sure whether RM will conclude a FinalApplicationStatus on behalf of the app. Investigating whehther generic history service needs to support queue-acls -- Key: YARN-2390 URL: https://issues.apache.org/jira/browse/YARN-2390 Project: Hadoop YARN Issue Type: Sub-task Reporter: Zhijie Shen According YARN-1250, it's arguable whether queue-acls should be applied to the generic history service as well, because the queue admin may not need the access to the completed application that is removed from the queue. Create this ticket to tackle the discussion around. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (YARN-2390) Investigating whehther generic history service needs to support queue-acls
[ https://issues.apache.org/jira/browse/YARN-2390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14100949#comment-14100949 ] Sunil G commented on YARN-2390: --- Thank you [~zjshen] I have checked *RMAppImpl#getFinalApplicationStatus*. If *currentAttempt.getFinalApplicationStatus()* is null (cases where AM has done unregister without specifying the final status), then final status is created by RM (calling *RMAppImpl#createFinalApplicationStatus()*) How do you feel about this. Investigating whehther generic history service needs to support queue-acls -- Key: YARN-2390 URL: https://issues.apache.org/jira/browse/YARN-2390 Project: Hadoop YARN Issue Type: Sub-task Reporter: Zhijie Shen Assignee: Sunil G According YARN-1250, it's arguable whether queue-acls should be applied to the generic history service as well, because the queue admin may not need the access to the completed application that is removed from the queue. Create this ticket to tackle the discussion around. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (YARN-2390) Investigating whehther generic history service needs to support queue-acls
[ https://issues.apache.org/jira/browse/YARN-2390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14097280#comment-14097280 ] Sunil G commented on YARN-2390: --- Yes. I understood your idea, but completed apps can be there in RM for some more time (1 is default number of completed apps in RM). and ACL's will be applicable for these completed apps still. In History Server, behavior now is different for same completed app once its moved from RM. This was the only point i was thinking we may need to look to. What do you feel about this? Investigating whehther generic history service needs to support queue-acls -- Key: YARN-2390 URL: https://issues.apache.org/jira/browse/YARN-2390 Project: Hadoop YARN Issue Type: Sub-task Reporter: Zhijie Shen According YARN-1250, it's arguable whether queue-acls should be applied to the generic history service as well, because the queue admin may not need the access to the completed application that is removed from the queue. Create this ticket to tackle the discussion around. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (YARN-2390) Investigating whehther generic history service needs to support queue-acls
[ https://issues.apache.org/jira/browse/YARN-2390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14097385#comment-14097385 ] Zhijie Shen commented on YARN-2390: --- bq. but completed apps can be there in RM for some more time (1 is default number of completed apps in RM). and ACL's will be applicable for these completed apps still. [~sunilg], that's a good point. I agree it would be nice if RM and GHS have consistent access control for finished application. However, if it's reasonable that the queue admin shouldn't have the access to the complete app which is removed from the queue, is the right fix to be correcting the ACLs on RM side? One related issue is that while CLI will check the user's ACLs properly, neither GET APIs nor web UI honor the ACLs completely at RM side (therefore, I filed YARN-2310 and YARN-2311 before). Investigating whehther generic history service needs to support queue-acls -- Key: YARN-2390 URL: https://issues.apache.org/jira/browse/YARN-2390 Project: Hadoop YARN Issue Type: Sub-task Reporter: Zhijie Shen According YARN-1250, it's arguable whether queue-acls should be applied to the generic history service as well, because the queue admin may not need the access to the completed application that is removed from the queue. Create this ticket to tackle the discussion around. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (YARN-2390) Investigating whehther generic history service needs to support queue-acls
[ https://issues.apache.org/jira/browse/YARN-2390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14095748#comment-14095748 ] Zhijie Shen commented on YARN-2390: --- bq. For getting application report, container report etc, currently in ClientRMService Queue ACL for ADMINISTER_QUEUE is also checked. That's correct. However, after the app is finished, it has been removed from the queue. The question is whether we still want to give queue admin to the app that used to run on the queue, but now is removed from it and finished. Personally, I prefer not to grant the view access of the finished app to the queue admin, because IMHO, the permissions of the queue admin should be within the scope of his assigned queue. Thoughts? Investigating whehther generic history service needs to support queue-acls -- Key: YARN-2390 URL: https://issues.apache.org/jira/browse/YARN-2390 Project: Hadoop YARN Issue Type: Sub-task Reporter: Zhijie Shen According YARN-1250, it's arguable whether queue-acls should be applied to the generic history service as well, because the queue admin may not need the access to the completed application that is removed from the queue. Create this ticket to tackle the discussion around. -- This message was sent by Atlassian JIRA (v6.2#6252)
