[
https://issues.apache.org/jira/browse/YARN-3895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341217#comment-16341217
]
Jason Lowe commented on YARN-3895:
----------------------------------
bq. How many domains would there be?
I would expect application frameworks to use domains just as they use ATS v1
domains today. That means one domain per application (or sub-DAG if they are
switching ACLs per DAG like the server-user-on-behalf-of-multiple-users case).
So there are going to be a lot of them. I suspect frameworks are just going to
create a new domain for their specific ACLs rather than searching for an
existing domain that matches their ACL needs. That also avoids the problem of
someone later updating the reused domain thinking they were just updating the
original app ACLs and inadvertently changed the ACLs of newer apps that reused.
That may or may not be desired. A 1-to-1 mapping of domain per app (or
sub-DAG) is a natural fit to the granularity of ACL control on the YARN side.
bq. Gets back a list of domain ids this group has permissions for. This may be
pretty big?
Yeah, this result is going to be huge in practice. Also how would wildcard
ACLs in a domain be supported, or are they not allowed?
> Support ACLs in ATSv2
> ---------------------
>
> Key: YARN-3895
> URL: https://issues.apache.org/jira/browse/YARN-3895
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Affects Versions: YARN-2928
> Reporter: Varun Saxena
> Assignee: Varun Saxena
> Priority: Major
> Labels: YARN-5355
>
> This JIRA is to keep track of authorization support design discussions for
> both readers and collectors.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
