Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for ACLs #78

Merged
merged 3 commits into from Oct 3, 2018

Conversation

Projects
None yet
1 participant
@jcrist
Copy link
Owner

commented Oct 3, 2018

Adds support for Access Control Lists (ACLs). This allows filtering permissions on users/groups. Three access categories are supported:

  • VIEW: view application details. This comes from yarn, we only forward the request.
  • MODIFY: modify application. This comes from yarn, we only forward the request. AFAICT this only disables support for others killing the application.
  • UI: access the web ui. This is implemented in skein.

The first two are just forwarding application acls to YARN, and match YARN's semantics and defaults. Note that while these parameters will be forwarded in all cases, YARN will ignore them unless the cluster has been properly configured. See https://www.cloudera.com/documentation/enterprise/6/6.0/topics/cm_mc_yarn_service1.html for more information.

By default, ACLs are disabled. If enabled, the default behavior is to restrict access for all 3 categories to only the application owner. Note that the application owner will always have access. Additional access can be granted for other users/groups as needed. The wildcard "*" can be used to mean "all users". All of this matches yarn/spark's behavior and defaults.

From a specification standpoint, this looks like:

# Enables acls
# Gives ui permissions to tom and nancy,
# modify access to anyone in the engineering group,
# and view access to everyone
acls:
  enable: true
  ui_users:
    - tom
    - nancy
  modify_groups:
    - engineering
  view_users:
    - '*'

Fixes #74.

@jcrist jcrist merged commit ae0aa43 into master Oct 3, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@jcrist jcrist deleted the acl-support branch Oct 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.