[jira] [Commented] (YARN-6811) [ATS1.5] All history logs should be kept under its own User Directory.

Wed, 20 Sep 2017 18:37:02 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-6811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16174101#comment-16174101
 ] 

Rohith Sharma K S commented on YARN-6811:
-----------------------------------------

bq. Can we simply not change the active-dir configuration to have a $user.name 
path?
This configuration is referred by TimelineSever to retrieve unfinished entities 
via REST service. So this can't be changed directly in timelineclient. This 
active base path should be same in timeline server and timeline client as well. 

bq. why doesn't the same logic apply for the done-directory?
DONE directory is accessed only by TimelineServer. So, it is not required to 
create user directory under done directory path!

> [ATS1.5]  All history logs should be kept under its own User Directory.
> -----------------------------------------------------------------------
>
>                 Key: YARN-6811
>                 URL: https://issues.apache.org/jira/browse/YARN-6811
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: timelineclient, timelineserver
>            Reporter: Rohith Sharma K S
>            Assignee: Rohith Sharma K S
>             Fix For: 2.9.0, 3.0.0-beta1
>
>         Attachments: YARN-6811.01.patch, YARN-6811.02.patch, 
> YARN-6811-branch-2.01.patch
>
>
> ATS1.5 allows to store history data in underlying FileSystem folder path i.e 
> */acitve-dir* and */done-dir*. These base directories are protected for 
> unauthorized user access for other users data by setting sticky bit for 
> /active-dir. 
> But object store filesystems such as WASB does not have user access control 
> on folders and files. When WASB are used as underlying file system for 
> ATS1.5, the history data which are stored in FS are accessible to all users. 
> *This would be a security risk*
> I would propose to keep history data under its own user directory i.e 
> */active-dir/$USER*. Even this do not solve basic user access from FS, but it 
> provides capability to plugin Apache Ranger policies for each user folders. 
> One thing to note that setting policies to each user folder is admin 
> responsibility. But grouping all history data of one user folder allows to 
> set policies so that user access control is achieved. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to