Sunil G commented on YARN-3100:

Hi [~jianhe]

Thanks for sharing this ACL pluggable feature improvement, Few comments on this.

1. *allAcls* is a concurrent map with PrivilagedType as key and acls as value. 
Hence the  recovery/ha for this data is tied up to schedulers recovery logic. 
Going down further, when this ACL authorizer is becoming generic, could this be 
made more independent and handle HA cases separately?
2. Also REST support for managing acls can be added.
3. Using RMAdmin, I feel we could have a command line option to add an ACL for 
a queue at runtime. Also this can be made generic for any ACLs too.
4. YarnAuthorizationProvider. Could it give more interfaces such as "get all 
users for give AccessType and PrivilegedEntity" etc.

Kindly share your opinion, and if you feel points 2 and 3 can be done, I am 
ready to help on same. 

Also a small nit in the current patch:
+  public void setPermission(PrivilegedEntity target,
+      Map<AccessType, AccessControlList> acls, UserGroupInformation ugi) {
+    allAcls.put(target, acls);
+  }
UserGroupInformation is not used.

> Make YARN authorization pluggable
> ---------------------------------
>                 Key: YARN-3100
>                 URL: https://issues.apache.org/jira/browse/YARN-3100
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3100.1.patch, YARN-3100.2.patch, YARN-3100.2.patch
> The goal is to have YARN acl model pluggable so as to integrate other 
> authorization tool such as Apache Ranger, Sentry.
> Currently, we have 
> - admin ACL
> - queue ACL
> - application ACL
> - time line domain ACL
> - service ACL
> The proposal is to create a YarnAuthorizationProvider interface. Current 
> implementation will be the default implementation. Ranger or Sentry plug-in 
> can implement  this interface.
> Benefit:
> -  Unify the code base. With the default implementation, we can get rid of 
> each specific ACL manager such as AdminAclManager, ApplicationACLsManager, 
> QueueAclsManager etc.
> - Enable Ranger, Sentry to do authorization for YARN. 

This message was sent by Atlassian JIRA

Reply via email to