[ https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14298090#comment-14298090 ]
Jian He commented on YARN-3100: ------------------------------- bq. I'm basically trying to reconcile the functionality being offered in this JIRA vs. the functionality that we advertise in the service management bits (e.g., http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Access_Control_Lists ). Across hdfs and yarn stack, there are basically there types of acl: hdfs-specific ACL, yarn-specific ACL and the common service-level ACL used by both hdfs and YARN which is the link you provided here. What concerns you is the common service level ACL, given it's already being commonly used by YARN and HDFS already, we can definitely do it in a common (but it is out of the scope of this jira as I mentioned before). HDFS-6826 solves hdfs-specific ACL, this jira is to address YARN-specific ACL, and there should be a 3rd jira in common to address the common service-level ACL. Ideally, all ACLs should fit into a single interface. but for yarn and hdfs specific ACL, because YARN and HDFS internal ACL implementation have been differing so much that unifying them is not just a matter of re-factoring but re-designing. That's why I wanted to do it on YARN first to address YARN-specific ACL(which is also what HDFS has been doing to address hdfs-specific ACL) and later on we can have a jira in common to address the common service-level ACL, and in the meantime merging the common part of hdfs-specific acl interface and YARN-specific acl interface into a single common interface. Still, HDFS and YARN will likely have their own specific acl interface left. bq. Adding in the ability to limit by host by merging this functionality would be a large win and actually add functionality that is currently missing to YARN One purpose of this jira is to enable 3rd party tool such as Ranger,Sentry to do authorization for YARN. That is this tool can provide user-defined authorization policy, such as host/ip based authorization policy, time based authorization policy (allowing a user to be able to access between 1:00pm and 2:00pm). And YARN can authorize user based on this policy. I hope this addresses your concern. > Make YARN authorization pluggable > --------------------------------- > > Key: YARN-3100 > URL: https://issues.apache.org/jira/browse/YARN-3100 > Project: Hadoop YARN > Issue Type: Bug > Reporter: Jian He > Assignee: Jian He > Attachments: YARN-3100.1.patch, YARN-3100.2.patch > > > The goal is to have YARN acl model pluggable so as to integrate other > authorization tool such as Apache Ranger, Sentry. > Currently, we have > - admin ACL > - queue ACL > - application ACL > - time line domain ACL > - service ACL > The proposal is to create a YarnAuthorizationProvider interface. Current > implementation will be the default implementation. Ranger or Sentry plug-in > can implement this interface. > Benefit: > - Unify the code base. With the default implementation, we can get rid of > each specific ACL manager such as AdminAclManager, ApplicationACLsManager, > QueueAclsManager etc. > - Enable Ranger, Sentry to do authorization for YARN. -- This message was sent by Atlassian JIRA (v6.3.4#6332)