[
https://issues.apache.org/jira/browse/YARN-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14303940#comment-14303940
]
Allen Wittenauer commented on YARN-3100:
----------------------------------------
Let me summarize the discussion so far, from my understanding:
* The authorize.* package in common provides services some pretty generic ACL
functionality. Making it plug-able and extendable would help the entire project.
* YARN is a precious snowflake that can't use such a generic service to see if
a host or user should be allowed to access, e.g., a queue for ... reasons. So
there is a desire to completely refactor the YARN code to effectively duplicate
common for ... reasons.
* Mentioning Ranger and/or Sentry should allow anyone to do anything they want.
They are magic words that make people run away.
> Make YARN authorization pluggable
> ---------------------------------
>
> Key: YARN-3100
> URL: https://issues.apache.org/jira/browse/YARN-3100
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Jian He
> Assignee: Jian He
> Attachments: YARN-3100.1.patch, YARN-3100.2.patch
>
>
> The goal is to have YARN acl model pluggable so as to integrate other
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current
> implementation will be the default implementation. Ranger or Sentry plug-in
> can implement this interface.
> Benefit:
> - Unify the code base. With the default implementation, we can get rid of
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager,
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
