[
https://issues.apache.org/jira/browse/YARN-6842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16105120#comment-16105120
]
YunFan Zhou commented on YARN-6842:
-----------------------------------
Thank Naganarasimha G R,
In fact, the original intention of the development of this feature was to solve
the user authentication of RM Web UI.
The RM Web UI has no user authentication by default. Therefore, all users who
login RM WEB UI by default are use user Dr. Who (this is a YARN configuration
decision).
Before we did not open YARN user authentication (i.e. yarn.acl.enable set to
false, yarn.admin.acl is set to * by default), we found that other users can
also through the RM WEB UI kill other user's application, which can cause many
users application failed.
Therefore, we set the* yarn.acl.enable* to true , and set the *yarn. admin.acl*
to the administrator account.
However, there is a problem with this, which is that the *dr. who* (common
account) is not authorized to view the applications of any queue unless the
queue's *aclAdministerApps*(for the FairScheduler scenario) is set the user or
*.
So, the easiest way to solve this problem is to provide a VIEW_APP permissions
for queue.
And we only authorize user read permissions.
This allows the user to view the applications of the queue properly, but not
because the administrator privileges cause unnecessary misoperation to kill
other users applications.
So, I think this feature is very useful to me, and I think other users will
have the same scenario.
> Implement a new access type for queue
> -------------------------------------
>
> Key: YARN-6842
> URL: https://issues.apache.org/jira/browse/YARN-6842
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: scheduler
> Affects Versions: 2.8.2
> Reporter: YunFan Zhou
> Assignee: YunFan Zhou
> Attachments: YARN-6842.001.patch, YARN-6842.002.patch,
> YARN-6842.003.patch
>
>
> When we want to access applications of a queue, only we can do is become the
> administer of the queue at present.
> But sometimes we only want authorize someone view applications of a queue
> but not modify operation.
> In our current mechanism there isn't any way to meet it, so I will implement
> a new access type for queue to solve
> this problem.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
