Rohith Sharma K S updated YARN-6811:
    Attachment: YARN-6811-branch-2.01.patch

updated branch-2 patch!

> [ATS1.5]  All history logs should be kept under its own User Directory.
> -----------------------------------------------------------------------
>                 Key: YARN-6811
>                 URL: https://issues.apache.org/jira/browse/YARN-6811
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: timelineclient, timelineserver
>            Reporter: Rohith Sharma K S
>            Assignee: Rohith Sharma K S
>         Attachments: YARN-6811.01.patch, YARN-6811.02.patch, 
> YARN-6811-branch-2.01.patch
> ATS1.5 allows to store history data in underlying FileSystem folder path i.e 
> */acitve-dir* and */done-dir*. These base directories are protected for 
> unauthorized user access for other users data by setting sticky bit for 
> /active-dir. 
> But object store filesystems such as WASB does not have user access control 
> on folders and files. When WASB are used as underlying file system for 
> ATS1.5, the history data which are stored in FS are accessible to all users. 
> *This would be a security risk*
> I would propose to keep history data under its own user directory i.e 
> */active-dir/$USER*. Even this do not solve basic user access from FS, but it 
> provides capability to plugin Apache Ranger policies for each user folders. 
> One thing to note that setting policies to each user folder is admin 
> responsibility. But grouping all history data of one user folder allows to 
> set policies so that user access control is achieved. 

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to