[
https://issues.apache.org/jira/browse/YARN-2446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14113420#comment-14113420
]
Zhijie Shen edited comment on YARN-2446 at 8/28/14 6:28 AM:
------------------------------------------------------------
This patch, which depends on the one on YARN-2102, makes use of the namespace
to control the user's access to the entities belonging to it. The system is
going to have a default namespace, which allows every body to read and write
entities. If the user doesn't specify the namespace id when putting an entity,
it will be put into the default one.
One thing it worth mentioning that the patch doesn't cover the part of entity
identifier <type, id> isolation. In the initial proposal, we plan to allow the
same entity identifier in different namespace. However, it will require fully
refurnishing the current key space in leveldb timeline store, which makes the
assumption <type, id> is unique globally. Moreover, the APIs need to be changed
according. For example, getEntity is likely to return multiple entities of the
same identifier unless we provide one more namespace param. On the other side,
as the authenticated user in YARN cluster should be reasonable on creating the
entity and its identifier, such that it's rare case of identifier collision
unless the attacker intentionally does it. So we decided to postpone the
identifier collision avoidance until some use case really wants it.
was (Author: zjshen):
This patch makes use of the namespace to control the user's access to the
entities belonging to it. The system is going to have a default namespace,
which allows every body to read and write entities. If the user doesn't specify
the namespace id when putting an entity, it will be put into the default one.
One thing it worth mentioning that the patch doesn't cover the part of entity
identifier <type, id> isolation. In the initial proposal, we plan to allow the
same entity identifier in different namespace. However, it will require fully
refurnishing the current key space in leveldb timeline store, which makes the
assumption <type, id> is unique globally. Moreover, the APIs need to be changed
according. For example, getEntity is likely to return multiple entities of the
same identifier unless we provide one more namespace param. On the other side,
as the authenticated user in YARN cluster should be reasonable on creating the
entity and its identifier, such that it's rare case of identifier collision
unless the attacker intentionally does it. So we decided to postpone the
identifier collision avoidance until some use case really wants it.
> Using TimelineNamespace to shield the entities of a user
> --------------------------------------------------------
>
> Key: YARN-2446
> URL: https://issues.apache.org/jira/browse/YARN-2446
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: timelineserver
> Reporter: Zhijie Shen
> Assignee: Zhijie Shen
> Attachments: YARN-2446.1.patch
>
>
> Given YARN-2102 adds TimelineNamespace, we can make use of it to shield the
> entities, preventing them from being accessed or affected by other users'
> operations.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
