Rohith Sharma K S created YARN-6811:
---------------------------------------
Summary: [ATS1.5] All history logs should be kept under its own
User Directory.
Key: YARN-6811
URL: https://issues.apache.org/jira/browse/YARN-6811
Project: Hadoop YARN
Issue Type: Improvement
Components: timelineclient, timelineserver
Reporter: Rohith Sharma K S
ATS1.5 allows to store history data in underlying FileSystem folder path i.e
*/acitve-dir* and */done-dir*. These base directories are protected for
unauthorized user access for other users data by setting sticky bit for
/active-dir.
But object store filesystems such as WASB does not have user access control on
folders and files. When WASB are used as underlying file system for ATS1.5, the
history data which are stored in FS are accessible to all users. *This would be
a security risk*
I would propose to keep history data under its own user directory i.e
*/active-dir/$USER* and */done-dir/$USER* unlike remote app-logs. Even this do
not solve basic user access from FS, but it provides capability to plugin
Apache Ranger policies for each user folders. One thing to note that setting
policies to each user folder is admin responsibility. But grouping all history
data of one user folder allows to set policies so that user access control is
achieved.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
