[
https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324140#comment-16324140
]
Jason Lowe commented on YARN-3895:
----------------------------------
I think Application ACLs could work fine for the straightforward case of a user
running their own app. As you mentioned, it already reflects how YARN handles
the ACLs for the AHS and log server today.
It's less clear to me how this is going to work for the case of an AM running
as one user but working on behalf of multiple other users across multiple
sub-apps. The YARN application only has one set of ACLs, set when it is
submitted by the service user. Those permissions are going to be restricted to
just the service user, most likely. Then the service user runs a sub-app
(e.g.: a DAG) on behalf of another user. In that case the ACLs may need to
change (e.g.: be permissive to more groups, etc.). The YARN app ACL isn't
changing at this point, it was set at time of submit, so how does the AM inform
the collector of the ACL change? Similarly, even if the AM wrapped some of its
execution in a doAs for the other user, how does the collector know the user
has changed? Did the AM somehow disconnect and reconnect to the collector?
How does the collector authenticate that the AM is allowed to proxy as that
user, or can any AM forge data as other users simply by stating the data is
from so-and-so?
I'm not that familiar with HBase, but it looks like the ACLs are per cell and
then it seems pretty straightforward how ACLs could change across sub-apps and
implement the proper restrictions on the read path. It's the write path in the
multiple-sub-apps-for-multiple-users-by-one-service-user case that I'm not
seeing how the security works. If we're basing it on the YARN app ACL, that
isn't changing across sub-apps but in many cases will need to do so.
> Support ACLs in ATSv2
> ---------------------
>
> Key: YARN-3895
> URL: https://issues.apache.org/jira/browse/YARN-3895
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Affects Versions: YARN-2928
> Reporter: Varun Saxena
> Assignee: Varun Saxena
> Labels: YARN-5355
>
> This JIRA is to keep track of authorization support design discussions for
> both readers and collectors.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
