Hi Junseung,
You are right, any one who has a valid kerberos ticket is allowed
to put a domain, but the owner of domain can decide who can write and read
entities into
the domain. We can write a custom Filter with extra logic to restrict
certain users from creating domain and add the custom FilterInitializer in
hadoop.http.filter.initializers.
Thanks,
Prabhu Joseph
On Thu, May 30, 2019 at 5:31 PM Junseung Hwang <j5hw...@gmail.com> wrote:
> Hi,
>
> I’m using the YARN Timeline Server v1 from Hadoop 2.7.7, and I want the
> Timeline Server to be secure.
>
> To configure Kerberos authentication and authorization, I set the
> followings in yarn-site.xml:
> - yarn.timeline-service.http-authentication.type: kerberos
> - yarn.timeline-service.http-authentication.kerberos.principal
> - yarn.timeline-service.http-authentication.kerberos.keytab
> - yarn.acl.enable: true
> - yarn.admin.acl: (space)
>
> However, as far as I know, anyone who has a Kerberos ticket can create a
> new Timeline domain unless the ID of the domain already exists. After then,
> the one can post timeline entities to the domain.
>
> My question is, is there any way to restrict users who can post domains
> and entities to Timeline Server without modifying Hadoop source codes?
>
> Best regards,
>
> Junseung.
>
