[
https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14298090#comment-14298090
]
Jian He commented on YARN-3100:
-------------------------------
bq. I'm basically trying to reconcile the functionality being offered in this
JIRA vs. the functionality that we advertise in the service management bits
(e.g.,
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Access_Control_Lists
).
Across hdfs and yarn stack, there are basically there types of acl:
hdfs-specific ACL, yarn-specific ACL and the common service-level ACL used by
both hdfs and YARN which is the link you provided here.
What concerns you is the common service level ACL, given it's already being
commonly used by YARN and HDFS already, we can definitely do it in a common
(but it is out of the scope of this jira as I mentioned before). HDFS-6826
solves hdfs-specific ACL, this jira is to address YARN-specific ACL, and there
should be a 3rd jira in common to address the common service-level ACL.
Ideally, all ACLs should fit into a single interface. but for yarn and hdfs
specific ACL, because YARN and HDFS internal ACL implementation have been
differing so much that unifying them is not just a matter of re-factoring but
re-designing. That's why I wanted to do it on YARN first to address
YARN-specific ACL(which is also what HDFS has been doing to address
hdfs-specific ACL) and later on we can have a jira in common to address the
common service-level ACL, and in the meantime merging the common part of
hdfs-specific acl interface and YARN-specific acl interface into a single
common interface. Still, HDFS and YARN will likely have their own specific acl
interface left.
bq. Adding in the ability to limit by host by merging this functionality would
be a large win and actually add functionality that is currently missing to YARN
One purpose of this jira is to enable 3rd party tool such as Ranger,Sentry to
do authorization for YARN. That is this tool can provide user-defined
authorization policy, such as host/ip based authorization policy, time based
authorization policy (allowing a user to be able to access between 1:00pm and
2:00pm). And YARN can authorize user based on this policy.
I hope this addresses your concern.
> Make YARN authorization pluggable
> ---------------------------------
>
> Key: YARN-3100
> URL: https://issues.apache.org/jira/browse/YARN-3100
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Jian He
> Assignee: Jian He
> Attachments: YARN-3100.1.patch, YARN-3100.2.patch
>
>
> The goal is to have YARN acl model pluggable so as to integrate other
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current
> implementation will be the default implementation. Ranger or Sentry plug-in
> can implement this interface.
> Benefit:
> - Unify the code base. With the default implementation, we can get rid of
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager,
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
