Jian He commented on YARN-3100:

bq. I'm basically trying to reconcile the functionality being offered in this 
JIRA vs. the functionality that we advertise in the service management bits 

Across hdfs and yarn stack, there are basically there types of acl: 
hdfs-specific ACL, yarn-specific ACL and the common service-level ACL used by 
both hdfs and YARN which is the link you provided here.
What concerns you is the common service level ACL, given it's already being 
commonly used by YARN and HDFS already, we can definitely do it in a common 
(but it is out of the scope of this jira as I mentioned before).  HDFS-6826 
solves hdfs-specific ACL, this jira is to address YARN-specific ACL, and there 
should be a 3rd jira in common to address the common service-level ACL. 
Ideally, all ACLs should fit into a single interface.  but for yarn and hdfs 
specific ACL, because YARN and HDFS internal ACL implementation have been 
differing so much that unifying them is not just a matter of re-factoring but 
re-designing.  That's why I wanted to do it on YARN first to address 
YARN-specific ACL(which is also what HDFS has been doing to address 
hdfs-specific ACL) and later on we can have a  jira in common to address the 
common service-level ACL, and in the meantime  merging the common part of 
hdfs-specific acl interface and YARN-specific acl interface into a single 
common interface. Still, HDFS and YARN will likely have their own specific acl 
interface left. 
bq. Adding in the ability to limit by host by merging this functionality would 
be a large win and actually add functionality that is currently missing to YARN 
One purpose of this jira is to enable 3rd party tool such as Ranger,Sentry to 
do authorization for YARN. That is this tool can provide user-defined 
authorization policy, such as host/ip based authorization policy, time based 
authorization  policy (allowing a user to be able to access between 1:00pm and 
2:00pm). And YARN can authorize user based on this policy. 
I hope this addresses your concern.

> Make YARN authorization pluggable
> ---------------------------------
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch
> The goal is to have YARN acl model pluggable so as to integrate other 
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current 
> implementation will be the default implementation. Ranger or Sentry plug-in 
> can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of 
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager, 
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 

This message was sent by Atlassian JIRA

Reply via email to