Chris Douglas commented on YARN-3100:

bq. I'm not sure if I get your point, the DefaultYarnAuthorizer currently uses 
a concurrentHashMap to store the acls, setPermission is currently used on queue 
initialization. So I think lock on setPermission is not needed ?

Could the RM be in a state where the old version of ACLs are applied to one 
queue, but a new version is applied to another (a client observes the new ACLs 
while they're being installed)? I think this is true of scenarios where 
{{refreshQueues()}} fails, but I don't know if intermediate states are 

> Make YARN authorization pluggable
> ---------------------------------
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch
> The goal is to have YARN acl model pluggable so as to integrate other 
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current 
> implementation will be the default implementation. Ranger or Sentry plug-in 
> can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of 
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager, 
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 

This message was sent by Atlassian JIRA

Reply via email to