Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      The goal is to have YARN acl model pluggable so as to integrate other authorization tool such as Apache Ranger, Sentry.

      Currently, we have

      • admin ACL
      • queue ACL
      • application ACL
      • time line domain ACL
      • service ACL

      The proposal is to create a YarnAuthorizationProvider interface. Current implementation will be the default implementation. Ranger or Sentry plug-in can implement this interface.

      Benefit:

      • Unify the code base. With the default implementation, we can get rid of each specific ACL manager such as AdminAclManager, ApplicationACLsManager, QueueAclsManager etc.
      • Enable Ranger, Sentry to do authorization for YARN.
      1. YARN-3100.2.patch
        50 kB
        Jian He
      2. YARN-3100.2.patch
        50 kB
        Jian He
      3. YARN-3100.1.patch
        34 kB
        Jian He

        Issue Links

          Activity

          Hide
          aw Allen Wittenauer added a comment -

          This sounds like something that should start out in common rather than in YARN, given that there are ACLs for HDFS as well.

          Show
          aw Allen Wittenauer added a comment - This sounds like something that should start out in common rather than in YARN, given that there are ACLs for HDFS as well.
          Hide
          jianhe Jian He added a comment -

          Allen, thanks for your comments. This jira also includes providing necessary hooks inside YARN to support the pluggable interface. So far, I'm unsure how much hdfs and YARN differ in the ACL management. But If needed, we can definitely promote the interface to be common.

          Show
          jianhe Jian He added a comment - Allen, thanks for your comments. This jira also includes providing necessary hooks inside YARN to support the pluggable interface. So far, I'm unsure how much hdfs and YARN differ in the ACL management. But If needed, we can definitely promote the interface to be common.
          Hide
          aw Allen Wittenauer added a comment - - edited

          It sounds like this JIRA should get split in half then: a generic interface sitting in common that other components can use and the YARN-specific bits.

          Show
          aw Allen Wittenauer added a comment - - edited It sounds like this JIRA should get split in half then: a generic interface sitting in common that other components can use and the YARN-specific bits.
          Hide
          jianhe Jian He added a comment -

          HDFS-6826 is the jira to have hdfs support pluggable authorization. Seems hdfs has much wider requirements than YARN does. Even with a
          common interface, YARN and hdfs may still need their own specific interface. Give that HDFS-6826 is still work in progress, I would like to have YARN ready first and then considering merging the common part into a common interface.

          Show
          jianhe Jian He added a comment - HDFS-6826 is the jira to have hdfs support pluggable authorization. Seems hdfs has much wider requirements than YARN does. Even with a common interface, YARN and hdfs may still need their own specific interface. Give that HDFS-6826 is still work in progress, I would like to have YARN ready first and then considering merging the common part into a common interface.
          Hide
          jianhe Jian He added a comment -

          Uploaded a patch:

          • Create a YarnAuthorizationProvider class to be extended by other components. current implementation remains as the default implementation of this class.
          • Only changed Admin acl and queue acl to use the provider class. Other acls and web apps will be addressed separately
          Show
          jianhe Jian He added a comment - Uploaded a patch: Create a YarnAuthorizationProvider class to be extended by other components. current implementation remains as the default implementation of this class. Only changed Admin acl and queue acl to use the provider class. Other acls and web apps will be addressed separately
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12695064/YARN-3100.1.patch
          against trunk revision 9850e15.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6438//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12695064/YARN-3100.1.patch against trunk revision 9850e15. -1 patch . The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6438//console This message is automatically generated.
          Hide
          aw Allen Wittenauer added a comment -

          I hope you recognize that from an outside perspective how ridiculous it sounds if YARN's ACL system is pluggable but HDFS's is not.

          Show
          aw Allen Wittenauer added a comment - I hope you recognize that from an outside perspective how ridiculous it sounds if YARN's ACL system is pluggable but HDFS's is not.
          Hide
          aw Allen Wittenauer added a comment -

          Linking to the original service ACL JIRA (HADOOP-4348), since it seems relevant to tossing aside the common implementation.

          Show
          aw Allen Wittenauer added a comment - Linking to the original service ACL JIRA ( HADOOP-4348 ), since it seems relevant to tossing aside the common implementation.
          Hide
          jianhe Jian He added a comment -

          I hope you recognize that from an outside perspective how ridiculous it sounds if YARN's ACL system is pluggable but HDFS's is not.

          HDFS-6826 is the work to make HDFS authorization pluggable. The current proposal is to only handle YARN specific ACL(admin and queue ACL), not the common service acl (HADOOP-4348) which is being used by HDFS too. hdfs will not get affected at all.

          Show
          jianhe Jian He added a comment - I hope you recognize that from an outside perspective how ridiculous it sounds if YARN's ACL system is pluggable but HDFS's is not. HDFS-6826 is the work to make HDFS authorization pluggable. The current proposal is to only handle YARN specific ACL(admin and queue ACL), not the common service acl ( HADOOP-4348 ) which is being used by HDFS too. hdfs will not get affected at all.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12695120/YARN-3100.2.patch
          against trunk revision d244574.

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. There were no new javadoc warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager.

          Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6444//testReport/
          Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6444//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12695120/YARN-3100.2.patch against trunk revision d244574. +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6444//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6444//console This message is automatically generated.
          Hide
          zjshen Zhijie Shen added a comment -

          I would like to have YARN ready first and then considering merging the common part into a common interface.

          +1 for staring from YARN first.

          Here're some comments about the patch.

          1. Should AccessType be the first class citizen too like PrivilegedEntity? And there are 1-to-many relationship between PrivilegedEntity and AccessType? For example, Queue -> {ADD, DELETE, MODIFY, VIEW}, App ->
          {SUBMIT, VIEW}.

          2. Do we need to include application as another entity type?

          3. No need in AdminService.java any more.

          private AccessControlList adminAcl;
          

          4. YarnAuthorizationProvider needs to be annotated? The following java doc is not as complete as the other methods.

          	  /**
          	   * Check if the user is an admin.
          	   */
             public abstract boolean isAdmin(UserGroupInformation ugi);
          

          5. According to the name, signature and implemenation, the method seems not to be just for verify admin access, but generich. However, it's only used in AdminService now. After the code change, the method reduces the use case to only check if it is admin. We may want to avoid the change or refactor the method name.

            public static UserGroupInformation verifyAccess(
                AccessControlList acl, String method, final Log LOG)
                throws IOException {
          

          6. For YarnAuthorizationProvider, it's better to call init() in getInstance(), such that the user doesn't need to struggle to make sure init() is just called once and at the first reference. Just think out loudly. Is the singleton friendly to MiniYARNCluster, where different components reside in a single process?

          Show
          zjshen Zhijie Shen added a comment - I would like to have YARN ready first and then considering merging the common part into a common interface. +1 for staring from YARN first. Here're some comments about the patch. 1. Should AccessType be the first class citizen too like PrivilegedEntity ? And there are 1-to-many relationship between PrivilegedEntity and AccessType ? For example, Queue -> {ADD, DELETE, MODIFY, VIEW}, App -> {SUBMIT, VIEW}. 2. Do we need to include application as another entity type? 3. No need in AdminService.java any more. private AccessControlList adminAcl; 4. YarnAuthorizationProvider needs to be annotated? The following java doc is not as complete as the other methods. /** * Check if the user is an admin. */ public abstract boolean isAdmin(UserGroupInformation ugi); 5. According to the name, signature and implemenation, the method seems not to be just for verify admin access, but generich. However, it's only used in AdminService now. After the code change, the method reduces the use case to only check if it is admin. We may want to avoid the change or refactor the method name. public static UserGroupInformation verifyAccess( AccessControlList acl, String method, final Log LOG) throws IOException { 6. For YarnAuthorizationProvider, it's better to call init() in getInstance(), such that the user doesn't need to struggle to make sure init() is just called once and at the first reference. Just think out loudly. Is the singleton friendly to MiniYARNCluster, where different components reside in a single process?
          Hide
          aw Allen Wittenauer added a comment -

          In case it isn't obvious, I'm -1 on doing this in YARN first.

          It doesn't make sense to all of this base work in YARN when we already know that, even beyond HDFS file-level ACLs, there are all sorts of places that need the same support in common.

          Show
          aw Allen Wittenauer added a comment - In case it isn't obvious, I'm -1 on doing this in YARN first. It doesn't make sense to all of this base work in YARN when we already know that, even beyond HDFS file-level ACLs, there are all sorts of places that need the same support in common.
          Hide
          jianhe Jian He added a comment -

          It doesn't make sense to all of this base work in YARN when we already know that, even beyond HDFS file-level ACLs, there are all sorts of places that need the same support in common.

          HDFS-6826 is what HDFS do on their end to make authorization pluggable. I tried to re-use what they have, but the patch has so much hdfs specific bits that won't for YARN. Even with a common interface, hdfs and yarn still require their own interface to take care of their own logic. Stepping back, how much base work it can be ? to yarn, it's very simple, it's just a single interface file which may be used by hdfs. the majority majority work resides in YARN itself. I would be more than happy to put it in common if hdfs would like to use it.

          Do you suggest a top-down manner, having a single interface sitting in common which works perfectly for hdfs and yarn first in one-go, and then let hdfs and yarn implement their own and no one could ever change the interface ? To me, this is not practical.

          Show
          jianhe Jian He added a comment - It doesn't make sense to all of this base work in YARN when we already know that, even beyond HDFS file-level ACLs, there are all sorts of places that need the same support in common. HDFS-6826 is what HDFS do on their end to make authorization pluggable. I tried to re-use what they have, but the patch has so much hdfs specific bits that won't for YARN. Even with a common interface, hdfs and yarn still require their own interface to take care of their own logic. Stepping back, how much base work it can be ? to yarn, it's very simple, it's just a single interface file which may be used by hdfs. the majority majority work resides in YARN itself. I would be more than happy to put it in common if hdfs would like to use it. Do you suggest a top-down manner, having a single interface sitting in common which works perfectly for hdfs and yarn first in one-go, and then let hdfs and yarn implement their own and no one could ever change the interface ? To me, this is not practical.
          Hide
          aw Allen Wittenauer added a comment -

          I'm basically trying to reconcile the functionality being offered in this JIRA vs. the functionality that we advertise in the service management bits (e.g., http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Access_Control_Lists ). To me, the "is a user allowed to do this" needed for YARN is effectively the same functionality. Adding in the ability to limit by host by merging this functionality would be a large win and actually add functionality that is currently missing to YARN (esp on the queue side).

          Show
          aw Allen Wittenauer added a comment - I'm basically trying to reconcile the functionality being offered in this JIRA vs. the functionality that we advertise in the service management bits (e.g., http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Access_Control_Lists ). To me, the "is a user allowed to do this" needed for YARN is effectively the same functionality. Adding in the ability to limit by host by merging this functionality would be a large win and actually add functionality that is currently missing to YARN (esp on the queue side).
          Hide
          jianhe Jian He added a comment -

          I'm basically trying to reconcile the functionality being offered in this JIRA vs. the functionality that we advertise in the service management bits (e.g., http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Access_Control_Lists ).

          Across hdfs and yarn stack, there are basically there types of acl: hdfs-specific ACL, yarn-specific ACL and the common service-level ACL used by both hdfs and YARN which is the link you provided here.
          What concerns you is the common service level ACL, given it's already being commonly used by YARN and HDFS already, we can definitely do it in a common (but it is out of the scope of this jira as I mentioned before). HDFS-6826 solves hdfs-specific ACL, this jira is to address YARN-specific ACL, and there should be a 3rd jira in common to address the common service-level ACL. Ideally, all ACLs should fit into a single interface. but for yarn and hdfs specific ACL, because YARN and HDFS internal ACL implementation have been differing so much that unifying them is not just a matter of re-factoring but re-designing. That's why I wanted to do it on YARN first to address YARN-specific ACL(which is also what HDFS has been doing to address hdfs-specific ACL) and later on we can have a jira in common to address the common service-level ACL, and in the meantime merging the common part of hdfs-specific acl interface and YARN-specific acl interface into a single common interface. Still, HDFS and YARN will likely have their own specific acl interface left.

          Adding in the ability to limit by host by merging this functionality would be a large win and actually add functionality that is currently missing to YARN

          One purpose of this jira is to enable 3rd party tool such as Ranger,Sentry to do authorization for YARN. That is this tool can provide user-defined authorization policy, such as host/ip based authorization policy, time based authorization policy (allowing a user to be able to access between 1:00pm and 2:00pm). And YARN can authorize user based on this policy.
          I hope this addresses your concern.

          Show
          jianhe Jian He added a comment - I'm basically trying to reconcile the functionality being offered in this JIRA vs. the functionality that we advertise in the service management bits (e.g., http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html#Access_Control_Lists ). Across hdfs and yarn stack, there are basically there types of acl: hdfs-specific ACL, yarn-specific ACL and the common service-level ACL used by both hdfs and YARN which is the link you provided here. What concerns you is the common service level ACL, given it's already being commonly used by YARN and HDFS already, we can definitely do it in a common (but it is out of the scope of this jira as I mentioned before). HDFS-6826 solves hdfs-specific ACL, this jira is to address YARN-specific ACL, and there should be a 3rd jira in common to address the common service-level ACL. Ideally, all ACLs should fit into a single interface. but for yarn and hdfs specific ACL, because YARN and HDFS internal ACL implementation have been differing so much that unifying them is not just a matter of re-factoring but re-designing. That's why I wanted to do it on YARN first to address YARN-specific ACL(which is also what HDFS has been doing to address hdfs-specific ACL) and later on we can have a jira in common to address the common service-level ACL, and in the meantime merging the common part of hdfs-specific acl interface and YARN-specific acl interface into a single common interface. Still, HDFS and YARN will likely have their own specific acl interface left. Adding in the ability to limit by host by merging this functionality would be a large win and actually add functionality that is currently missing to YARN One purpose of this jira is to enable 3rd party tool such as Ranger,Sentry to do authorization for YARN. That is this tool can provide user-defined authorization policy, such as host/ip based authorization policy, time based authorization policy (allowing a user to be able to access between 1:00pm and 2:00pm). And YARN can authorize user based on this policy. I hope this addresses your concern.
          Hide
          aw Allen Wittenauer added a comment -

          I still see no provided evidence as to why YARN needs its own ACL implementation. It was always a mistake that queue ACLs and the like weren't implemented with the common ACL implementation, given how simplistic YARN's needs ultimately are. This seems like a good opportunity to fix it without making more technical debt as proposed by this JIRA.

          I'm still at -1.

          Show
          aw Allen Wittenauer added a comment - I still see no provided evidence as to why YARN needs its own ACL implementation. It was always a mistake that queue ACLs and the like weren't implemented with the common ACL implementation, given how simplistic YARN's needs ultimately are. This seems like a good opportunity to fix it without making more technical debt as proposed by this JIRA. I'm still at -1.
          Hide
          jianhe Jian He added a comment -

          It was always a mistake that queue ACLs and the like weren't implemented with the common ACL implementation,

          Would you please specify which exact piece of code regarding the service acl implementation YARN should re-use, but YARN did not ? YARN always re-use any existing library from common.

          Show
          jianhe Jian He added a comment - It was always a mistake that queue ACLs and the like weren't implemented with the common ACL implementation, Would you please specify which exact piece of code regarding the service acl implementation YARN should re-use, but YARN did not ? YARN always re-use any existing library from common.
          Hide
          zjshen Zhijie Shen added a comment -

          IMHO, the problem we want to solve in the scope of this Jira is to refactor YARN ACL code, such that we can make YARN use third-party authorization provider, such as Ranger and Sentry.

          We appreciate your input, but would you please be more specific what common ACL you refer to. It would be more helpful if you can provide the details about what the exact piece YARN can reuse and the approach how YARN can reuse it. Anyway, I'm afraid uniforming common and YARN authorization is out of the scope of this Jira, such that we can take care of it separately. And while doing this, we also need to take HDFS authorization into account, don't we?

          Show
          zjshen Zhijie Shen added a comment - IMHO, the problem we want to solve in the scope of this Jira is to refactor YARN ACL code, such that we can make YARN use third-party authorization provider, such as Ranger and Sentry. We appreciate your input, but would you please be more specific what common ACL you refer to. It would be more helpful if you can provide the details about what the exact piece YARN can reuse and the approach how YARN can reuse it. Anyway, I'm afraid uniforming common and YARN authorization is out of the scope of this Jira, such that we can take care of it separately. And while doing this, we also need to take HDFS authorization into account, don't we?
          Hide
          aw Allen Wittenauer added a comment -

          Let me summarize the discussion so far, from my understanding:

          • The authorize.* package in common provides services some pretty generic ACL functionality. Making it plug-able and extendable would help the entire project.
          • YARN is a precious snowflake that can't use such a generic service to see if a host or user should be allowed to access, e.g., a queue for ... reasons. So there is a desire to completely refactor the YARN code to effectively duplicate common for ... reasons.
          • Mentioning Ranger and/or Sentry should allow anyone to do anything they want. They are magic words that make people run away.
          Show
          aw Allen Wittenauer added a comment - Let me summarize the discussion so far, from my understanding: The authorize.* package in common provides services some pretty generic ACL functionality. Making it plug-able and extendable would help the entire project. YARN is a precious snowflake that can't use such a generic service to see if a host or user should be allowed to access, e.g., a queue for ... reasons. So there is a desire to completely refactor the YARN code to effectively duplicate common for ... reasons. Mentioning Ranger and/or Sentry should allow anyone to do anything they want. They are magic words that make people run away.
          Hide
          jianhe Jian He added a comment -

          The authorize.* package in common provides services some pretty generic ACL functionality.

          As I said, YARN is already re-using many code/library from this package. If you found more should be re-used, please let us know and feel free to file separate jira.

          Mentioning Ranger and/or Sentry should allow anyone to do anything they want. They are magic words that make people run away.

          This is anyways configurable by admin. People can choose to use or not to use. Nothing gets affected for original implementation.

          Show
          jianhe Jian He added a comment - The authorize.* package in common provides services some pretty generic ACL functionality. As I said, YARN is already re-using many code/library from this package . If you found more should be re-used, please let us know and feel free to file separate jira. Mentioning Ranger and/or Sentry should allow anyone to do anything they want. They are magic words that make people run away. This is anyways configurable by admin. People can choose to use or not to use. Nothing gets affected for original implementation.
          Hide
          chris.douglas Chris Douglas added a comment -

          Allen Wittenauer, have you read through the patch? What it implements looks like a pretty straightfoward application of the common ACL libraries to queues and applications. It just routes some of the YARN checks to a configurable component. Is there functionality implemented in the common libs that's not being used?

          A few quick questions:

          • What is the behavior of refreshQueues? It looks like the provider class remains fixed (should it throw an exception if the class in the conf doesn't match the singleton?), but every queue's ACLs get reset from the config. The refresh isn't transactional, though... if it fails partway through, the ACLs could be partially refreshed in the provider. Is that correct? If the provider is Configurable, then it also doesn't get reconfigured, as it will return the singleton from the first call to getInstance()
          • Could we avoid pluggable implementations with a Default* class? A descriptive name is easier to change and... well, descriptive.
          • PrivilegedEntity is an odd class. Would it be possible to expand on its definition in the javadoc, and (as a public class) add annotations for its intended audience (HADOOP-5073)?
          Show
          chris.douglas Chris Douglas added a comment - Allen Wittenauer , have you read through the patch? What it implements looks like a pretty straightfoward application of the common ACL libraries to queues and applications. It just routes some of the YARN checks to a configurable component. Is there functionality implemented in the common libs that's not being used? A few quick questions: What is the behavior of refreshQueues ? It looks like the provider class remains fixed (should it throw an exception if the class in the conf doesn't match the singleton?), but every queue's ACLs get reset from the config. The refresh isn't transactional, though... if it fails partway through, the ACLs could be partially refreshed in the provider. Is that correct? If the provider is Configurable , then it also doesn't get reconfigured, as it will return the singleton from the first call to getInstance() Could we avoid pluggable implementations with a Default* class? A descriptive name is easier to change and... well, descriptive. PrivilegedEntity is an odd class. Would it be possible to expand on its definition in the javadoc, and (as a public class) add annotations for its intended audience ( HADOOP-5073 )?
          Hide
          jianhe Jian He added a comment -

          Chris, thanks for your comments !

          What is the behavior of refreshQueues?

          Good question. Basically, we now have two sources of truth for the ACL info. One is the queue config file, the other is the external component(the external component has their own acl storage and can change the acl from their own web UI etc.). I think a good practice is to only allow one single source of truth. We only allow one authorizer implementation, we don't support a mix. If the external component is used for authorization, the refreshQueue command will not update the ACL info into the external component, it's a no-op. The ACL defined in queue configs is only used to bootstrap the external component to feed in the initial ACL info and then the external component takes care of the rest.
          Please share your thoughts. thx

          Could we avoid pluggable implementations with a Default* class? PrivilegedEntity is an odd class. Would it be possible to expand on its definition in the javadoc,

          sure, will do

          Show
          jianhe Jian He added a comment - Chris, thanks for your comments ! What is the behavior of refreshQueues? Good question. Basically, we now have two sources of truth for the ACL info. One is the queue config file, the other is the external component(the external component has their own acl storage and can change the acl from their own web UI etc.). I think a good practice is to only allow one single source of truth. We only allow one authorizer implementation, we don't support a mix. If the external component is used for authorization, the refreshQueue command will not update the ACL info into the external component, it's a no-op. The ACL defined in queue configs is only used to bootstrap the external component to feed in the initial ACL info and then the external component takes care of the rest. Please share your thoughts. thx Could we avoid pluggable implementations with a Default* class? PrivilegedEntity is an odd class. Would it be possible to expand on its definition in the javadoc, sure, will do
          Hide
          chris.douglas Chris Douglas added a comment -

          Motivation for the conversion from QueueACL to the nearly identical, new YarnAuthorizationProvider.AccessType- like the introduction of PrivilegedEntity- is not obvious. Are these pluggable types? Are there other, future entities besides queues? Should the authorizer plugin perform the mapping from QueueACL? Just trying to understand the design...

          For the Default* impl, partial updates for refreshQueues that become visible during the update and after a partial, failed update are hard to reason about. While it's a noop for external services, aren't these different semantics from the current implementation? Readers are blocked, so there are no locks necessary for modifications by setPermission?

          Show
          chris.douglas Chris Douglas added a comment - Motivation for the conversion from QueueACL to the nearly identical, new YarnAuthorizationProvider.AccessType - like the introduction of PrivilegedEntity - is not obvious. Are these pluggable types? Are there other, future entities besides queues? Should the authorizer plugin perform the mapping from QueueACL ? Just trying to understand the design... For the Default* impl, partial updates for refreshQueues that become visible during the update and after a partial, failed update are hard to reason about. While it's a noop for external services, aren't these different semantics from the current implementation? Readers are blocked, so there are no locks necessary for modifications by setPermission ?
          Hide
          jianhe Jian He added a comment - - edited

          Are these pluggable types? Are there other, future entities besides queues? Should the authorizer plugin perform the mapping from QueueACL?

          PrivilegedEntity - we'll add Application, TimeLineDomain etc. into the EntityType later on. Similar for AccessType - we'll add VIEW_APP, MODIFY_APP etc. later on. The plugin will decide for each entity(app/queue) whether a certain user has the permission to perform certain operation.

          While it's a noop for external services, aren't these different semantics from the current implementation?

          The assumption is that if user chooses to use the external component for acl management, user should be aware to rely on that for grant/revoke acls. Otherwise, e.g. if user adds a bunch permissions in Ranger but then later on admin invoke refreshQueue CLI just to add a new queue(not to change the acl), it'll override what Ranger has which I think is not expected. Alternatively, the plug-in can choose to add new acl via the setPermission when refreshQueue is invoked, but not to replace existing acl. Also, whether to add new or update or no, this is something that plug-in itself can decide or make it configurable by user.

          Readers are blocked, so there are no locks necessary for modifications by setPermission

          I'm not sure if I get your point, the DefaultYarnAuthorizer currently uses a concurrentHashMap to store the acls, setPermission is currently used on queue initialization. So I think lock on setPermission is not needed ?

          Show
          jianhe Jian He added a comment - - edited Are these pluggable types? Are there other, future entities besides queues? Should the authorizer plugin perform the mapping from QueueACL? PrivilegedEntity - we'll add Application, TimeLineDomain etc. into the EntityType later on. Similar for AccessType - we'll add VIEW_APP, MODIFY_APP etc. later on. The plugin will decide for each entity(app/queue) whether a certain user has the permission to perform certain operation. While it's a noop for external services, aren't these different semantics from the current implementation? The assumption is that if user chooses to use the external component for acl management, user should be aware to rely on that for grant/revoke acls. Otherwise, e.g. if user adds a bunch permissions in Ranger but then later on admin invoke refreshQueue CLI just to add a new queue(not to change the acl), it'll override what Ranger has which I think is not expected. Alternatively, the plug-in can choose to add new acl via the setPermission when refreshQueue is invoked, but not to replace existing acl. Also, whether to add new or update or no, this is something that plug-in itself can decide or make it configurable by user. Readers are blocked, so there are no locks necessary for modifications by setPermission I'm not sure if I get your point, the DefaultYarnAuthorizer currently uses a concurrentHashMap to store the acls, setPermission is currently used on queue initialization. So I think lock on setPermission is not needed ?
          Hide
          chris.douglas Chris Douglas added a comment -

          I'm not sure if I get your point, the DefaultYarnAuthorizer currently uses a concurrentHashMap to store the acls, setPermission is currently used on queue initialization. So I think lock on setPermission is not needed ?

          Could the RM be in a state where the old version of ACLs are applied to one queue, but a new version is applied to another (a client observes the new ACLs while they're being installed)? I think this is true of scenarios where refreshQueues() fails, but I don't know if intermediate states are observable.

          Show
          chris.douglas Chris Douglas added a comment - I'm not sure if I get your point, the DefaultYarnAuthorizer currently uses a concurrentHashMap to store the acls, setPermission is currently used on queue initialization. So I think lock on setPermission is not needed ? Could the RM be in a state where the old version of ACLs are applied to one queue, but a new version is applied to another (a client observes the new ACLs while they're being installed)? I think this is true of scenarios where refreshQueues() fails, but I don't know if intermediate states are observable.
          Hide
          jianhe Jian He added a comment -

          Do you mean the intermediate state that some queue ACLs are updated but some are not ? The reinitializeQueues looks to be transactional, it instantiates all new sub queues first and then update the root queue and child queues accordingly. And the checkAccess chain will compete the same scheduler lock with the refreshQueue.

          Show
          jianhe Jian He added a comment - Do you mean the intermediate state that some queue ACLs are updated but some are not ? The reinitializeQueues looks to be transactional, it instantiates all new sub queues first and then update the root queue and child queues accordingly. And the checkAccess chain will compete the same scheduler lock with the refreshQueue.
          Hide
          chris.douglas Chris Douglas added a comment -

          The reinitializeQueues looks to be transactional, it instantiates all new sub queues first and then update the root queue and child queues accordingly. And the checkAccess chain will compete the same scheduler lock with the refreshQueue.

          If there's a queue with root Q, say we're constructing Q'. In the current patch, the YarnAuthorizationProvider singleton instance will get calls to setPermission() during construction of Q'. These (1) will be observable by readers of Q who share the instance. I agree that if construction of Q' fails then it won't get installed, but (2) Q will run with a mix of Q' and Q ACLs because each call to setPermission() overwrites what was installed for Q.

          I'm curious if (1) and (2) are an artifact of the new plugin architecture or if this is also happens in the existing code. Not for external implementations, but for the Default* one.

          Alternatively, the plug-in can choose to add new acl via the setPermission when refreshQueue is invoked, but not to replace existing acl. Also, whether to add new or update or no, this is something that plug-in itself can decide or make it configurable by user.

          Maybe I'm being dense, but I don't see how a plugin could implement those semantics cleanly. YarnAuthorizationProvider forces the instance to be a singleton, and it gets some sequence of calls to setPermission(). Since queues can't be deleted in the CS, I suppose it could track the sequence of calls that install ACLs and only publish new ACLs when it's received updates for everything, but that could still yield (2) if the refresh adds new queues before the refresh fails.

          Show
          chris.douglas Chris Douglas added a comment - The reinitializeQueues looks to be transactional, it instantiates all new sub queues first and then update the root queue and child queues accordingly. And the checkAccess chain will compete the same scheduler lock with the refreshQueue. If there's a queue with root Q , say we're constructing Q' . In the current patch, the YarnAuthorizationProvider singleton instance will get calls to setPermission() during construction of Q' . These (1) will be observable by readers of Q who share the instance. I agree that if construction of Q' fails then it won't get installed, but (2) Q will run with a mix of Q' and Q ACLs because each call to setPermission() overwrites what was installed for Q . I'm curious if (1) and (2) are an artifact of the new plugin architecture or if this is also happens in the existing code. Not for external implementations, but for the Default* one. Alternatively, the plug-in can choose to add new acl via the setPermission when refreshQueue is invoked, but not to replace existing acl. Also, whether to add new or update or no, this is something that plug-in itself can decide or make it configurable by user. Maybe I'm being dense, but I don't see how a plugin could implement those semantics cleanly. YarnAuthorizationProvider forces the instance to be a singleton, and it gets some sequence of calls to setPermission() . Since queues can't be deleted in the CS, I suppose it could track the sequence of calls that install ACLs and only publish new ACLs when it's received updates for everything, but that could still yield (2) if the refresh adds new queues before the refresh fails.
          Hide
          jianhe Jian He added a comment -

          Chris, appreciate your feedbacks !

          These (1) will be observable by readers of Q who share the instance.

          I'm curious if (1) and (2) are an artifact of the new plugin architecture or if this is also happens in the existing code

          IIUC, in case refreshQueue is successful, readers won't be able to observe the new Q' ACL. because while constructing new Q', it's holding the scheduler lock, and the reader(i.e. the caller of checkPermission) has to get the same scheduler lock to check permission. So I think readers won't be able to observe the new ACL until Q refresh is completed. But I agree with you that if construction of Q' fails, we possibly get a mix of Q' and Q ACLs, which happens in the existing code. This could be a problem to other parts of the refreshQueue too, e.g. update queue capacity.

          I suppose it could track the sequence of calls that install ACLs and only publish new ACLs when it's received updates for everything,

          Yes, a simple way is that the plug-in can check if the acl already exists and only add the new ones. As you said, this is not clean. I think maybe we can print warning if admin uses external component for ACL management but still call the refreshQueue API to update the ACL.

          but that could still yield (2) if the refresh adds new queues before the refresh fails.

          Yes, it will still yield 2) if refresh fails.

          Show
          jianhe Jian He added a comment - Chris, appreciate your feedbacks ! These (1) will be observable by readers of Q who share the instance. I'm curious if (1) and (2) are an artifact of the new plugin architecture or if this is also happens in the existing code IIUC, in case refreshQueue is successful, readers won't be able to observe the new Q' ACL. because while constructing new Q', it's holding the scheduler lock, and the reader(i.e. the caller of checkPermission) has to get the same scheduler lock to check permission. So I think readers won't be able to observe the new ACL until Q refresh is completed. But I agree with you that if construction of Q' fails, we possibly get a mix of Q' and Q ACLs, which happens in the existing code. This could be a problem to other parts of the refreshQueue too, e.g. update queue capacity. I suppose it could track the sequence of calls that install ACLs and only publish new ACLs when it's received updates for everything, Yes, a simple way is that the plug-in can check if the acl already exists and only add the new ones. As you said, this is not clean. I think maybe we can print warning if admin uses external component for ACL management but still call the refreshQueue API to update the ACL. but that could still yield (2) if the refresh adds new queues before the refresh fails. Yes, it will still yield 2) if refresh fails.
          Hide
          chris.douglas Chris Douglas added a comment -

          I agree with you that if construction of Q' fails, we possibly get a mix of Q' and Q ACLs, which happens in the existing code.

          I think the existing code doesn't have this property. ACLs parsed from the config are stored in a member field. If construction fails, those ACLs aren't installed. The patch moves enforcement to the authorizer:

             public boolean hasAccess(QueueACL acl, UserGroupInformation user) {
               synchronized (this) {
          -      if (acls.get(acl).isUserAllowed(user)) {
          +      if (authorizer.checkPermission(toAccessType(acl), queueEntity, user)) {
                   return true;
                 }
               }
          

          Which is updated during construction of the replacement queue hierarchy.

          Show
          chris.douglas Chris Douglas added a comment - I agree with you that if construction of Q' fails, we possibly get a mix of Q' and Q ACLs, which happens in the existing code. I think the existing code doesn't have this property. ACLs parsed from the config are stored in a member field . If construction fails, those ACLs aren't installed. The patch moves enforcement to the authorizer: public boolean hasAccess(QueueACL acl, UserGroupInformation user) { synchronized (this) { - if (acls.get(acl).isUserAllowed(user)) { + if (authorizer.checkPermission(toAccessType(acl), queueEntity, user)) { return true; } } Which is updated during construction of the replacement queue hierarchy.
          Hide
          jianhe Jian He added a comment -

          I see. got your point. I'll fix this in next patch. thanks !
          And I think the existing code will have this problem when exception thrown here. I can open a jira for this, if you also think this is an issue.

          Show
          jianhe Jian He added a comment - I see. got your point. I'll fix this in next patch. thanks ! And I think the existing code will have this problem when exception thrown here . I can open a jira for this, if you also think this is an issue.
          Hide
          chris.douglas Chris Douglas added a comment -

          Looking through AbstractCSQueue and CSQueueUtils, it looks like there are many misconfigurations that leave queues in an inconsistent state...

          Show
          chris.douglas Chris Douglas added a comment - Looking through AbstractCSQueue and CSQueueUtils , it looks like there are many misconfigurations that leave queues in an inconsistent state...
          Hide
          jianhe Jian He added a comment -

          AbstractCSQueue and CSQueueUtils

          Maybe I missed something, I think these two are mostly fine. As we create the new queue hierarchy first and then update the old queues. If certain methods fail in these two classes, the new queue creation will fail upfront and so will not update the old queue. Anyway, we can address this separately.

          Show
          jianhe Jian He added a comment - AbstractCSQueue and CSQueueUtils Maybe I missed something, I think these two are mostly fine. As we create the new queue hierarchy first and then update the old queues. If certain methods fail in these two classes, the new queue creation will fail upfront and so will not update the old queue. Anyway, we can address this separately.
          Hide
          chris.douglas Chris Douglas added a comment -

          Agreed; definitely a separate JIRA. As state is copied from the old queues, some of the methods called in CSQueueUtils throw exceptions, similar to the case you found in LeafQueue.

          Show
          chris.douglas Chris Douglas added a comment - Agreed; definitely a separate JIRA. As state is copied from the old queues, some of the methods called in CSQueueUtils throw exceptions, similar to the case you found in LeafQueue .
          Hide
          jianhe Jian He added a comment -

          Uploaded a new patch:

          • rename the DefaultYarnAuthorizer to ConfiguredYarnAuthorizer
          • Added private/unstable annotations to the newly added classes.
          • Move setPermissions on the authorizer after queue init/re-init is done.
            Addressed other comments from Zhijie and Chris too.
          Show
          jianhe Jian He added a comment - Uploaded a new patch: rename the DefaultYarnAuthorizer to ConfiguredYarnAuthorizer Added private/unstable annotations to the newly added classes. Move setPermissions on the authorizer after queue init/re-init is done. Addressed other comments from Zhijie and Chris too.
          Hide
          zjshen Zhijie Shen added a comment -

          Thanks for the last patch. It looks good to me. Pending the commit to give Chris some time to feedback.

          Show
          zjshen Zhijie Shen added a comment - Thanks for the last patch. It looks good to me. Pending the commit to give Chris some time to feedback.
          Hide
          hadoopqa Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12697182/YARN-3100.2.patch
          against trunk revision da2fb2b.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          -1 javadoc. The javadoc tool appears to have generated 3 warning messages.
          See https://builds.apache.org/job/PreCommit-YARN-Build/6544//artifact/patchprocess/diffJavadocWarnings.txt for details.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager.

          Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6544//testReport/
          Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6544//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12697182/YARN-3100.2.patch against trunk revision da2fb2b. +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. -1 javadoc . The javadoc tool appears to have generated 3 warning messages. See https://builds.apache.org/job/PreCommit-YARN-Build/6544//artifact/patchprocess/diffJavadocWarnings.txt for details. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6544//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6544//console This message is automatically generated.
          Hide
          jianhe Jian He added a comment -

          Fixed the javac warnings

          Show
          jianhe Jian He added a comment - Fixed the javac warnings
          Hide
          sunilg Sunil G added a comment -

          Hi Jian He

          Thanks for sharing this ACL pluggable feature improvement, Few comments on this.

          1. allAcls is a concurrent map with PrivilagedType as key and acls as value. Hence the recovery/ha for this data is tied up to schedulers recovery logic. Going down further, when this ACL authorizer is becoming generic, could this be made more independent and handle HA cases separately?
          2. Also REST support for managing acls can be added.
          3. Using RMAdmin, I feel we could have a command line option to add an ACL for a queue at runtime. Also this can be made generic for any ACLs too.
          4. YarnAuthorizationProvider. Could it give more interfaces such as "get all users for give AccessType and PrivilegedEntity" etc.

          Kindly share your opinion, and if you feel points 2 and 3 can be done, I am ready to help on same.

          Also a small nit in the current patch:

          +  public void setPermission(PrivilegedEntity target,
          +      Map<AccessType, AccessControlList> acls, UserGroupInformation ugi) {
          +    allAcls.put(target, acls);
          +  }
          

          UserGroupInformation is not used.

          Show
          sunilg Sunil G added a comment - Hi Jian He Thanks for sharing this ACL pluggable feature improvement, Few comments on this. 1. allAcls is a concurrent map with PrivilagedType as key and acls as value. Hence the recovery/ha for this data is tied up to schedulers recovery logic. Going down further, when this ACL authorizer is becoming generic, could this be made more independent and handle HA cases separately? 2. Also REST support for managing acls can be added. 3. Using RMAdmin, I feel we could have a command line option to add an ACL for a queue at runtime. Also this can be made generic for any ACLs too. 4. YarnAuthorizationProvider. Could it give more interfaces such as "get all users for give AccessType and PrivilegedEntity" etc. Kindly share your opinion, and if you feel points 2 and 3 can be done, I am ready to help on same. Also a small nit in the current patch: + public void setPermission(PrivilegedEntity target, + Map<AccessType, AccessControlList> acls, UserGroupInformation ugi) { + allAcls.put(target, acls); + } UserGroupInformation is not used.
          Hide
          hadoopqa Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12697386/YARN-3100.2.patch
          against trunk revision 7e42088.

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. There were no new javadoc warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager.

          Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6553//testReport/
          Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6553//console

          This message is automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12697386/YARN-3100.2.patch against trunk revision 7e42088. +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager. Test results: https://builds.apache.org/job/PreCommit-YARN-Build/6553//testReport/ Console output: https://builds.apache.org/job/PreCommit-YARN-Build/6553//console This message is automatically generated.
          Hide
          jianhe Jian He added a comment -

          Sunil G, thanks for your suggestions !

          Also REST support for managing acls can be added. Using RMAdmin, I feel we could have a command line option to add an ACL for a queue at runtime. Also this can be made generic for any ACLs too.

          This makes sense, but when doing this, we should handle persisting the ACL data for RM restart/failover. Also, we need to handle the potential conflicts between the persisted acl info and the original config file.

          could this be made more independent and handle HA cases separately?

          Typically, the external component like Ranger has their own way to recover the ACLs. If RM restart/failover, the acls can be retrieved from their backend store.

          YarnAuthorizationProvider. Could it give more interfaces such as "get all users for give AccessType and PrivilegedEntity" etc.

          getAllUsers semantics is a kind of heavy operation for external component. The overall idea is that the caller should provide userName/accessType, the plug-in can return true or false for accessing. We can add this if really needed in the future.

          Map<AccessType, AccessControlList> acls, UserGroupInformation ugi)

          the ugi here is used by external component such as Ranger for auditing. Ranger has nice auditing support to record the historic grant/revoke, access denied/ access allowed info.

          feel points 2 and 3 can be done, I am ready to help on same.

          Please feel free to open. I feel a command line option is more useful in short-term than REST.

          Show
          jianhe Jian He added a comment - Sunil G , thanks for your suggestions ! Also REST support for managing acls can be added. Using RMAdmin, I feel we could have a command line option to add an ACL for a queue at runtime. Also this can be made generic for any ACLs too. This makes sense, but when doing this, we should handle persisting the ACL data for RM restart/failover. Also, we need to handle the potential conflicts between the persisted acl info and the original config file. could this be made more independent and handle HA cases separately? Typically, the external component like Ranger has their own way to recover the ACLs. If RM restart/failover, the acls can be retrieved from their backend store. YarnAuthorizationProvider. Could it give more interfaces such as "get all users for give AccessType and PrivilegedEntity" etc. getAllUsers semantics is a kind of heavy operation for external component. The overall idea is that the caller should provide userName/accessType, the plug-in can return true or false for accessing. We can add this if really needed in the future. Map<AccessType, AccessControlList> acls, UserGroupInformation ugi) the ugi here is used by external component such as Ranger for auditing. Ranger has nice auditing support to record the historic grant/revoke, access denied/ access allowed info. feel points 2 and 3 can be done, I am ready to help on same. Please feel free to open. I feel a command line option is more useful in short-term than REST.
          Hide
          zjshen Zhijie Shen added a comment -

          Committed to trunk and branch-2. Thanks Jian for the patch and Chris and Sunil for the review!

          Show
          zjshen Zhijie Shen added a comment - Committed to trunk and branch-2. Thanks Jian for the patch and Chris and Sunil for the review!
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-trunk-Commit #7058 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7058/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-trunk-Commit #7058 (See https://builds.apache.org/job/Hadoop-trunk-Commit/7058/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          Hide
          chris.douglas Chris Douglas added a comment -

          Sorry, I didn't get to the patch over the weekend. Thanks for addressing the review feedback.

          Are there JIRAs following some of the types to be added to PrivilegedEntity? Just curious.

          Show
          chris.douglas Chris Douglas added a comment - Sorry, I didn't get to the patch over the weekend. Thanks for addressing the review feedback. Are there JIRAs following some of the types to be added to PrivilegedEntity? Just curious.
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #100 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/100/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #100 (See https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/100/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Yarn-trunk #834 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/834/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Yarn-trunk #834 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/834/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Hdfs-trunk #2032 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2032/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk #2032 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/2032/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #101 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/101/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk-Java8 #101 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Java8/101/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Hadoop-Mapreduce-trunk #2051 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2051/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Hadoop-Mapreduce-trunk #2051 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/2051/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Hdfs-trunk-Java8 #97 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/97/)
          YARN-3100. Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e)

          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java
          • hadoop-yarn-project/CHANGES.txt
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java
          • hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-Hdfs-trunk-Java8 #97 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Java8/97/ ) YARN-3100 . Made YARN authorization pluggable. Contributed by Jian He. (zjshen: rev 23bf6c72071782e3fd5a628e21495d6b974c7a9e) hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AdminACLsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-sharedcachemanager/src/main/java/org/apache/hadoop/yarn/server/sharedcachemanager/SCMAdminProtocolService.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMServerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/nodelabels/RMNodeLabelsManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/PrivilegedEntity.java hadoop-yarn-project/CHANGES.txt hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java

            People

            • Assignee:
              jianhe Jian He
              Reporter:
              jianhe Jian He
            • Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development