[
https://issues.apache.org/jira/browse/YARN-1115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Payne updated YARN-1115:
-----------------------------
Description:
In the framework for secure implementation using UserGroupInformation.doAs
(https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html),
a trusted superuser can submit jobs on behalf of another user in a secure way.
In this framework, the superuser is referred to as the real user and the
proxied user is referred to as the effective user.
Currently when a job is submitted as an effective user, the ACLs for the
effective user are checked against the queue on which the job is to be run.
Depending on an optional configuration, the scheduler should also check the
ACLs of the real user if the configuration to do so is set.
For example, suppose my superuser name is super, and super is configured to
securely proxy as joe. Also suppose there is a Hadoop queue named ops which
only allows ACLs for super, not for joe.
When super proxies to joe in order to submit a job to the ops queue, it will
fail because joe, as the effective user, does not have ACLs on the ops queue.
In many cases this is what you want, in order to protect queues that joe should
not be using.
However, there are times when super may need to proxy to many users, and the
client running as super just wants to use the ops queue because the ops queue
is already dedicated to the client's purpose, and, to keep the ops queue
dedicated to that purpose, super doesn't want to open up ACLs to joe in general
on the ops queue. Without this functionality, in this case, the client running
as super needs to figure out which queue each user has ACLs opened up for, and
then coordinate with other tasks using those queues.
was:
In the framework for secure implementation using UserGroupInformation.doAs
(http://hadoop.apache.org/docs/stable/Secure_Impersonation.html), a trusted
superuser can submit jobs on behalf of another user in a secure way. In this
framework, the superuser is referred to as the real user and the proxied user
is referred to as the effective user.
Currently when a job is submitted as an effective user, the ACLs for the
effective user are checked against the queue on which the job is to be run.
Depending on an optional configuration, the scheduler should also check the
ACLs of the real user if the configuration to do so is set.
For example, suppose my superuser name is super, and super is configured to
securely proxy as joe. Also suppose there is a Hadoop queue named ops which
only allows ACLs for super, not for joe.
When super proxies to joe in order to submit a job to the ops queue, it will
fail because joe, as the effective user, does not have ACLs on the ops queue.
In many cases this is what you want, in order to protect queues that joe should
not be using.
However, there are times when super may need to proxy to many users, and the
client running as super just wants to use the ops queue because the ops queue
is already dedicated to the client's purpose, and, to keep the ops queue
dedicated to that purpose, super doesn't want to open up ACLs to joe in general
on the ops queue. Without this functionality, in this case, the client running
as super needs to figure out which queue each user has ACLs opened up for, and
then coordinate with other tasks using those queues.
> Provide optional means for a scheduler to check real user ACLs
> --------------------------------------------------------------
>
> Key: YARN-1115
> URL: https://issues.apache.org/jira/browse/YARN-1115
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: capacity scheduler, scheduler
> Affects Versions: 2.8.5
> Reporter: Eric Payne
> Priority: Major
> Attachments: YARN-1115.001.patch
>
>
> In the framework for secure implementation using UserGroupInformation.doAs
> (https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html),
> a trusted superuser can submit jobs on behalf of another user in a secure
> way. In this framework, the superuser is referred to as the real user and the
> proxied user is referred to as the effective user.
> Currently when a job is submitted as an effective user, the ACLs for the
> effective user are checked against the queue on which the job is to be run.
> Depending on an optional configuration, the scheduler should also check the
> ACLs of the real user if the configuration to do so is set.
> For example, suppose my superuser name is super, and super is configured to
> securely proxy as joe. Also suppose there is a Hadoop queue named ops which
> only allows ACLs for super, not for joe.
> When super proxies to joe in order to submit a job to the ops queue, it will
> fail because joe, as the effective user, does not have ACLs on the ops queue.
> In many cases this is what you want, in order to protect queues that joe
> should not be using.
> However, there are times when super may need to proxy to many users, and the
> client running as super just wants to use the ops queue because the ops queue
> is already dedicated to the client's purpose, and, to keep the ops queue
> dedicated to that purpose, super doesn't want to open up ACLs to joe in
> general on the ops queue. Without this functionality, in this case, the
> client running as super needs to figure out which queue each user has ACLs
> opened up for, and then coordinate with other tasks using those queues.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
