[
https://issues.apache.org/jira/browse/YARN-796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14129024#comment-14129024
]
Craig Welch commented on YARN-796:
----------------------------------
So, I'm adding code to check whether a user should be able to modify labels (is
an admin) and I think that we should be checking the UserGroup information but
not executing the operation using "doAs". This is because, ultimately, the
process is writing data into hdfs and for permissions reasons I think it should
always be written as the same user - the user yarn runs as - if we do the doAs
there will be a mishmash of users there, and to have the directory be secure
there would need to be a group with rights which contains all the admin users,
which is extra overhead (otherwise, it has to be world writable, which tends to
compromise the security model...) I think the same is true if we use other
datastores down the line for holding the label info - really, our interest in
the user it to verify access, but we don't really need or want to perform
actions on their behalf (like you would when launching a job, etc), this is not
one of those cases. So, I propose enforcing the check but executing whatever
changes as the user the process is running under (the resourcemanager/yarn
user, basically, just dropping the doAs). This means that entry points will
need to do the verification, but that's not really an issue, the already have
to be aware to gather the info regarding who the user is / are aware of the
need for doAs, now, etc. It means that the user will need to be careful if
executing a tool which directly modifies the data in hdfs to do that as an
appropriate user, but they already have to do that, it's not a new issue which
is being created with this approach (it doesn't really make that any better or
worse, imho). Thoughts?
> Allow for (admin) labels on nodes and resource-requests
> -------------------------------------------------------
>
> Key: YARN-796
> URL: https://issues.apache.org/jira/browse/YARN-796
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 2.4.1
> Reporter: Arun C Murthy
> Assignee: Wangda Tan
> Attachments: LabelBasedScheduling.pdf,
> Node-labels-Requirements-Design-doc-V1.pdf,
> Node-labels-Requirements-Design-doc-V2.pdf, YARN-796-Diagram.pdf,
> YARN-796.node-label.consolidate.1.patch, YARN-796.node-label.demo.patch.1,
> YARN-796.patch, YARN-796.patch4
>
>
> It will be useful for admins to specify labels for nodes. Examples of labels
> are OS, processor architecture etc.
> We should expose these labels and allow applications to specify labels on
> resource-requests.
> Obviously we need to support admin operations on adding/removing node labels.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
