You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by Junseung Hwang <j5...@gmail.com> on 2019/05/30 12:01:22 UTC

How to restrict users who can post domains/entities to the YARN Timeline Server?

Hi,
I’m using the YARN Timeline Server v1 from Hadoop 2.7.7, and I want the Timeline Server to be secure.
To configure Kerberos authentication and authorization, I set the followings in yarn-site.xml:
- yarn.timeline-service.http-authentication.type: kerberos
- yarn.timeline-service.http-authentication.kerberos.principal
- yarn.timeline-service.http-authentication.kerberos.keytab
- yarn.acl.enable: true
- yarn.admin.acl: (space)
However, as far as I know, anyone who has a Kerberos ticket can create a new Timeline domain unless the ID of the domain already exists. After then, the one can post timeline entities to the domain.
My question is, is there any way to restrict users who can post domains and entities to Timeline Server without modifying Hadoop source codes?
Best regards,
Junseung.

Re: How to restrict users who can post domains/entities to the YARN Timeline Server?

Posted by Prabhu Josephraj <pj...@cloudera.com.INVALID>.

Hi Junseung,

          You are right, any one who has a valid kerberos ticket is allowed
to put a domain, but the owner of domain can decide who can write and read
entities into
the domain. We can write a custom Filter with extra logic to restrict
certain users from creating domain and add the custom FilterInitializer in
hadoop.http.filter.initializers.


Thanks,
Prabhu Joseph




On Thu, May 30, 2019 at 5:31 PM Junseung Hwang <j5...@gmail.com> wrote:

> Hi,
>
> I’m using the YARN Timeline Server v1 from Hadoop 2.7.7, and I want the
> Timeline Server to be secure.
>
> To configure Kerberos authentication and authorization, I set the
> followings in yarn-site.xml:
> - yarn.timeline-service.http-authentication.type: kerberos
> - yarn.timeline-service.http-authentication.kerberos.principal
> - yarn.timeline-service.http-authentication.kerberos.keytab
> - yarn.acl.enable: true
> - yarn.admin.acl: (space)
>
> However, as far as I know, anyone who has a Kerberos ticket can create a
> new Timeline domain unless the ID of the domain already exists. After then,
> the one can post timeline entities to the domain.
>
> My question is, is there any way to restrict users who can post domains
> and entities to Timeline Server without modifying Hadoop source codes?
>
> Best regards,
>
> Junseung.
>