You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Bibin A Chundatt (JIRA)" <ji...@apache.org> on 2018/03/16 09:32:00 UTC
[jira] [Comment Edited] (YARN-8028) Support
authorizeUserAccessToQueue in RMWebServices
[ https://issues.apache.org/jira/browse/YARN-8028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16401663#comment-16401663 ]
Bibin A Chundatt edited comment on YARN-8028 at 3/16/18 9:31 AM:
-----------------------------------------------------------------
[~leftnoteasy]
{code:java}
2544 return Response.status(Status.BAD_REQUEST).entity(
2545 "Specified queueAclType=" + queueAclType
2546 + " is not a valid type, valid queue acl types={"
2547 + "SUBMIT_APPLICATIONS/ADMINISTER_QUEUE}").build();
{code}
# Can we use {{BadRequestException}}
{code:java}
2568 return Response.status(Status.FORBIDDEN).entity(
2569 "User=" + username + " doesn't have access to queue=" + queue
2570 + " with acl-type=" + queueAclType).build();
{code}
# {{ForbiddenException}} can be used
{code:java}
2535 LOG.debug("Check user=" + username + " has access to queue=" + queue
2536 + " ACL_TYPE=" + queueAclType);
{code}
# I think we shouldnt directly log the params inputs this could cause *log forging*
# Thoughts on allowing all queue rights similar to {{getQueueUserAcls}} this would allow in different services to cache acl. In addition we should have notification framework when queue is refreshed.
# One improvement could beĀ instead of querying scheduler we could use {{YarnAuthorizationProvider}} so that we don't lock scheduler YARN-6727. thoughts??
was (Author: bibinchundatt):
[~leftnoteasy]
{code}
2544 return Response.status(Status.BAD_REQUEST).entity(
2545 "Specified queueAclType=" + queueAclType
2546 + " is not a valid type, valid queue acl types={"
2547 + "SUBMIT_APPLICATIONS/ADMINISTER_QUEUE}").build();
{code}
# Can we use {{BadRequestException}}
{code}
2568 return Response.status(Status.FORBIDDEN).entity(
2569 "User=" + username + " doesn't have access to queue=" + queue
2570 + " with acl-type=" + queueAclType).build();
{code}
# {{ForbiddenException}} can be used
{code}
2535 LOG.debug("Check user=" + username + " has access to queue=" + queue
2536 + " ACL_TYPE=" + queueAclType);
{code}
# I think we shouldnt directly log the params inputs this could cause *log forging*
# Thoughts on allowing all queue rights similar to {{getQueueUserAcls}} this would allow in different services to cache acl. In addition we should have notification framework when queue is refreshed.
# One improvement could be instead be instead of querying scheduler we could use {{YarnAuthorizationProvider}} so that we don't lock scheduler YARN-6727. thoughts??
> Support authorizeUserAccessToQueue in RMWebServices
> ---------------------------------------------------
>
> Key: YARN-8028
> URL: https://issues.apache.org/jira/browse/YARN-8028
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Wangda Tan
> Assignee: Wangda Tan
> Priority: Major
> Attachments: YARN-8028.001.patch
>
>
> Currently we have {{QueueUserACLInfo}} in ApplicationClient, we should support similar API in REST API.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org