Zhijie Shen updated YARN-1937:

    Attachment: YARN-1937.1.patch

I created a patch to make a TimlineACLsManager, which will check whether the 
query user is going to be the owner of then timeline entity; if he is, he's 
going to retrieve the entity or the events of this entity; otherwise, he can 
not access the corresponding timeline data.

To support the ACLs, I need to record the owner information of the timeline 
data when it is posted. I leverage the primary filter to store the owner 
information by reserving the timeline system filter key. Of course the system 
information will be masked before returning the timeline data back to the user.

I upload the preliminary  patch to demonstrate the idea, and will work on the 
test cases and complete local test.

It is worth mentioning that:

1. I do access control at the granularity of timeline entity. We can definitely 
explore more fine-grained control, but I prefer keeping the thing simple 

2. Initially, I'm going to support access control that only the owner can 
access his timeline data. In the future, we can extend it to allow admin and 
configured user/group list. Will file a separate ticket for the follow-up work.

> Access control of per-framework data
> ------------------------------------
>                 Key: YARN-1937
>                 URL: https://issues.apache.org/jira/browse/YARN-1937
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: YARN-1937.1.patch

This message was sent by Atlassian JIRA

Reply via email to