[
https://issues.apache.org/jira/browse/YARN-6820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16114990#comment-16114990
]
Jason Lowe commented on YARN-6820:
----------------------------------
Thanks for updating the patch!
The javadoc errors are relevant:
{noformat}
[ERROR]
/testptch/hadoop/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java:2119:
error: bad HTML entity
[ERROR] * The name for setting that lists the users & groups who are allowed to
[ERROR] ^
[ERROR]
/testptch/hadoop/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java:2122:
error: bad HTML entity
[ERROR] * It will allow this list of users & groups to read the data
{noformat}
There's no default value constant for TIMELINE_SERVICE_READ_AUTH_ENABLED but
there probably should be one.
DEFAULT_TIMELINE_SERVICE_READ_ALLOWED_USERS is defined but never used.
I think it'd be simpler to always have an admin acl (so no need for null
check), initializing it with a default value of an empty string if the
YARN_ADMIN_ACL property is not set.
It would be nice to have a unit test that verifies that even if a user not in
the whitelist tries to perform a read it will be allowed if the master enable
is off.
> Restrict read access to timelineservice v2 data
> ------------------------------------------------
>
> Key: YARN-6820
> URL: https://issues.apache.org/jira/browse/YARN-6820
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Reporter: Vrushali C
> Assignee: Vrushali C
> Labels: yarn-5355-merge-blocker
> Attachments: YARN-6820-YARN-5355.0001.patch,
> YARN-6820-YARN-5355.002.patch
>
>
> Need to provide a way to restrict read access in ATSv2. Not all users should
> be able to read all entities. On the flip side, some folks may not need any
> read restrictions, so we need to provide a way to disable this access
> restriction as well.
> Initially this access restriction could be done in a simple way via a
> whitelist of users allowed to read data. That set of users can read all data,
> no other user can read any data. Can be turned off for all users to read all
> data.
> Could be stored in a "domain" table in hbase perhaps. Or a configuration
> setting for the cluster. Or something else that's simple enough. ATSv1 has a
> concept of domain for isolating users for reading. Would be good to keep that
> in consideration.
> In ATSv1, domain offers a namespace for Timeline server allowing users to
> host multiple entities, isolating them from other users and applications. A
> “Domain” in ATSV1 primarily stores owner info, read and& write ACL
> information, created and modified time stamp information. Each Domain is
> identified by an ID which must be unique across all users in the YARN cluster.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
