Hi Junseung, You are right, any one who has a valid kerberos ticket is allowed to put a domain, but the owner of domain can decide who can write and read entities into the domain. We can write a custom Filter with extra logic to restrict certain users from creating domain and add the custom FilterInitializer in hadoop.http.filter.initializers.
Thanks, Prabhu Joseph On Thu, May 30, 2019 at 5:31 PM Junseung Hwang <j5hw...@gmail.com> wrote: > Hi, > > I’m using the YARN Timeline Server v1 from Hadoop 2.7.7, and I want the > Timeline Server to be secure. > > To configure Kerberos authentication and authorization, I set the > followings in yarn-site.xml: > - yarn.timeline-service.http-authentication.type: kerberos > - yarn.timeline-service.http-authentication.kerberos.principal > - yarn.timeline-service.http-authentication.kerberos.keytab > - yarn.acl.enable: true > - yarn.admin.acl: (space) > > However, as far as I know, anyone who has a Kerberos ticket can create a > new Timeline domain unless the ID of the domain already exists. After then, > the one can post timeline entities to the domain. > > My question is, is there any way to restrict users who can post domains > and entities to Timeline Server without modifying Hadoop source codes? > > Best regards, > > Junseung. >