[
https://issues.apache.org/jira/browse/YARN-2102?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14132527#comment-14132527
]
Li Lu commented on YARN-2102:
-----------------------------
Hi [~zjshen],
I checked through your patch. Generally, this patch looks pretty good to me.
Here are a few quick comments:
1. This is a general one. In this issue we're proposing the concept of
"namespace" to further improve permission control for timeline storage. I think
this idea makes a lot of sense, but am wondering whether "namespace" is the
best word to capture our goal here (btw, nesting namespace may be a off-topic
concept for our goal, but does exist in languages like C++ or Java). From your
design doc, I think what we're proposing here is something to "partition" the
domain of entities, but not enhancing identifications. Maybe we want to
consider an alternative name like "domain" or "partition" here?
2. On storage side, I noticed that in your level db storage, you store creation
time and modification together in a "TIMESTAMP_COLUMN" (divided by high and low
8 bytes). This is significantly different to any other fields. Are there any
specific considerations behind this? If so, I think it would be very helpful to
mention this in put(TimelineNamespace namespace) method of
LeveldbTimelineStorage.
3. On the access control side, I noticed that reader and writer fields of
namespaces are not used in ACLManager. I think this is left out for some
reasons, and maybe in YARN-2446 you're addressing this?
4. In LeveldbTimelineStore.getTimelineNamespace, the following code segment:
{code}
if (value != null && value.length > 0) {
if (key[prefix.length] == DESCRIPTION_COLUMN[0]) {
namespace.setDescription(new String(value));
} else if (key[prefix.length] == OWNER_COLUMN[0]) {
namespace.setOwner(new String(value));
} else if (key[prefix.length] == READER_COLUMN[0]) {
namespace.setReaders(new String(value));
} else if (key[prefix.length] == WRITER_COLUMN[0]) {
namespace.setWriters(new String(value));
} else if (key[prefix.length] == TIMESTAMP_COLUMN[0]) {
namespace.setCreatedTime(readReverseOrderedLong(value, 0));
namespace.setModifiedTime(readReverseOrderedLong(value, 8));
}
}
{code}
Shall we add a default branch here to track any potential problems? From the
experience working with the HBase timeline storage I think this is pretty
useful for future improvements.
> More generalized timeline ACLs
> ------------------------------
>
> Key: YARN-2102
> URL: https://issues.apache.org/jira/browse/YARN-2102
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Zhijie Shen
> Assignee: Zhijie Shen
> Attachments: GeneralizedTimelineACLs.pdf, YARN-2102.1.patch,
> YARN-2102.2.patch, YARN-2102.3.patch, YARN-2102.5.patch
>
>
> We need to differentiate the access controls of reading and writing
> operations, and we need to think about cross-entity access control. For
> example, if we are executing a workflow of MR jobs, which writing the
> timeline data of this workflow, we don't want other user to pollute the
> timeline data of the workflow by putting something under it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
