[
https://issues.apache.org/jira/browse/YARN-796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14129464#comment-14129464
]
Wangda Tan commented on YARN-796:
---------------------------------
Hi Craig,
I think when RM is running, the solution should be exactly as you described, we
should only check if the caller is user on the admin list, and RM will write
file itself, by default it's "yarn" user.
But when RM is not running, and we need execute a tool to directly modify data
in store, we cannot use this way. Because the ACL is retrieved from local
configuration file, a malicious user can create a configuration to indicate
itself is a admin user and use the configuration to launch tool.
IMHO, I think we don't need check ACL when we running a standalone tool, it
will modify the file, and the file directory has permission already (like it
belongs yarn user). So HDFS will do the check for us. But we should only run
such standalone command as same as the user launches RM.
Thanks,
Wangda
> Allow for (admin) labels on nodes and resource-requests
> -------------------------------------------------------
>
> Key: YARN-796
> URL: https://issues.apache.org/jira/browse/YARN-796
> Project: Hadoop YARN
> Issue Type: Sub-task
> Affects Versions: 2.4.1
> Reporter: Arun C Murthy
> Assignee: Wangda Tan
> Attachments: LabelBasedScheduling.pdf,
> Node-labels-Requirements-Design-doc-V1.pdf,
> Node-labels-Requirements-Design-doc-V2.pdf, YARN-796-Diagram.pdf,
> YARN-796.node-label.consolidate.1.patch, YARN-796.node-label.demo.patch.1,
> YARN-796.patch, YARN-796.patch4
>
>
> It will be useful for admins to specify labels for nodes. Examples of labels
> are OS, processor architecture etc.
> We should expose these labels and allow applications to specify labels on
> resource-requests.
> Obviously we need to support admin operations on adding/removing node labels.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
