You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@samza.apache.org by "Hai (JIRA)" <ji...@apache.org> on 2018/07/31 22:07:00 UTC

[jira] [Updated] (SAMZA-1794) setting application acl in launch context for secured YARN cluster

     [ https://issues.apache.org/jira/browse/SAMZA-1794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hai updated SAMZA-1794:
-----------------------
    Description: 
Currently we don't set application acl for container launch context. See [https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]

This could potentially cause problem if samza job is running on a secured YARN cluster. Say user A submits the job, then by default only user A can view the log and the status of the job. Even worse case is that user A submits the job through some proxy account, then even user A herself/himself couldn't access to logs/status of the application.

We need to make some changes for the YARN application submission to set application acls in launch context as configured.

  was:
Currently we don't set application acl for container launch context. See [https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]

 

This could potentially cause problem if samza job is running on a secured YARN cluster with proxy account.


> setting application acl in launch context for secured YARN cluster
> ------------------------------------------------------------------
>
>                 Key: SAMZA-1794
>                 URL: https://issues.apache.org/jira/browse/SAMZA-1794
>             Project: Samza
>          Issue Type: Improvement
>            Reporter: Hai
>            Assignee: Hai
>            Priority: Major
>
> Currently we don't set application acl for container launch context. See [https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]
> This could potentially cause problem if samza job is running on a secured YARN cluster. Say user A submits the job, then by default only user A can view the log and the status of the job. Even worse case is that user A submits the job through some proxy account, then even user A herself/himself couldn't access to logs/status of the application.
> We need to make some changes for the YARN application submission to set application acls in launch context as configured.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)