You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@samza.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/07/31 22:35:00 UTC

[jira] [Commented] (SAMZA-1794) setting application acl in launch context for secured YARN cluster

    [ https://issues.apache.org/jira/browse/SAMZA-1794?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16564438#comment-16564438 ] 

ASF GitHub Bot commented on SAMZA-1794:
---------------------------------------

GitHub user lhaiesp opened a pull request:

    https://github.com/apache/samza/pull/592

    SAMZA-1794: setting application acl in launch context 

    Currently we don't set application acl for container launch context. See https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)
    
    This could potentially cause problem if samza job is running on a secured YARN cluster. Say user A submits the job, then by default only user A can view the log and the status of the job. Even worse case is that user A submits the job through some proxy account, then even user A herself/himself couldn't access to logs/status of the application.
    
    We need to make some changes for the YARN application submission to set application acls in launch context as configured.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/lhaiesp/samza master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/samza/pull/592.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #592
    
----
commit 6f11c2c0d3dd2b96b3261174b068dae75a2fb2b3
Author: Hai Lu <ha...@...>
Date:   2018-07-31T22:27:03Z

    SAMZA-1794: setting application acl in launch context for secured YARN cluster

----


> setting application acl in launch context for secured YARN cluster
> ------------------------------------------------------------------
>
>                 Key: SAMZA-1794
>                 URL: https://issues.apache.org/jira/browse/SAMZA-1794
>             Project: Samza
>          Issue Type: Improvement
>            Reporter: Hai
>            Assignee: Hai
>            Priority: Major
>
> Currently we don't set application acl for container launch context. See [https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)]
> This could potentially cause problem if samza job is running on a secured YARN cluster. Say user A submits the job, then by default only user A can view the log and the status of the job. Even worse case is that user A submits the job through some proxy account, then even user A herself/himself couldn't access to logs/status of the application.
> We need to make some changes for the YARN application submission to set application acls in launch context as configured.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)