Uploaded image for project: 'Apache Tez'
  1. Apache Tez
  2. TEZ-3328

[Umbrella] UI does not work well when there are separate DAG and session-level ACLs

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      Currently, when authz systems such as Ranger/Sentry are in place, all hive queries run in a tez session owned by user hive. Queries run by end-users say user a,b,c, etc have perimeter checks but the yarn containers run as user hive.

      In terms of acls, what this means is that the session-level acls are restricted to user hive and admins. And then each query ends up with a dag specific acl for user a or b or c.

      In Tez impls, this translates to:

      • entities such as TEZ_APP, TEZ_APP_ATTEMPT, CONTAINER use a session-specific domain/acl
      • entities for the dag - TEZ_DAG/VERTEX/TASK,TA end up with a dag specific ACL.

      If user "a" clicks through the app link from the RM and lands on the app details page, the user will not find any dags as the user has no permissions to view the tez app entity rendering the UI functionality to be broken.

      \cc sseth rajesh.balamohan Sreenath jeagles thejas

      Attachments

        1. TEZ-3328.wip.patch
          35 kB
          Hitesh Shah

        Activity

          People

            hitesh Hitesh Shah
            hitesh Hitesh Shah
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: