Details

    • Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Webfrontend
    • Labels:

      Description

      Currently, the web UI allows all users with access everything. Only job upload has a separate permission setting.

      We should generalize that to more aspects of the UI, such as cancelling jobs, accessing logs, or accessing metrics.

      We could add a flag for each feature (enable / disable).

      Alternatively, we can add an access level to the UI:

      1. view job only (dag, timeling, checkpoint stats)
      2. view dag and metrics + logs
      3. view dag/metrics/logs plus allow stop / cancel / savepoint
      4. allow all (before plus submitting new jobs)

      The second options is less flexible, but more compact to configure.

        Activity

        Hide
        Zentol Chesnay Schepler added a comment -

        We could also think about making the job-submission parameter more granular; for example to forbid uploading jars but allow running them, the jars to run would be placed in the web.upload.dir directory by an administrator of some sort.

        Show
        Zentol Chesnay Schepler added a comment - We could also think about making the job-submission parameter more granular; for example to forbid uploading jars but allow running them, the jars to run would be placed in the web.upload.dir directory by an administrator of some sort.
        Hide
        Zentol Chesnay Schepler added a comment -

        We can combine both approaches into a single setting.

        We can have access privileges like "LOGS, DAG" etc and access levels like "JOB".
        We then add a single configuration parameter "jobmanager.web.access", where you can specify a list of the above, like "JOB TM_LOG". We could also include a quantifier -, as in "JOB -DAG", which would allow to view all job information, except the dag. This should provide both compact, but optionally fine-grained, configuration.

        Show
        Zentol Chesnay Schepler added a comment - We can combine both approaches into a single setting. We can have access privileges like "LOGS, DAG" etc and access levels like "JOB". We then add a single configuration parameter "jobmanager.web.access", where you can specify a list of the above, like "JOB TM_LOG". We could also include a quantifier - , as in "JOB -DAG", which would allow to view all job information, except the dag. This should provide both compact, but optionally fine-grained, configuration.

          People

          • Assignee:
            Unassigned
            Reporter:
            StephanEwen Stephan Ewen
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:

              Development