ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yan Zhou <yzhou_1...@yahoo.com>
Subject Review Request 56094: Ranger-1339: DENY and ALLOW EXCLUSION do not work with YARN
Date Mon, 30 Jan 2017 19:47:24 GMT

This is an automatically generated e-mail. To reply, visit:

Review request for ranger.

Repository: ranger


When a user is denied, or excluded from "allowed", the use of "admin-queue", but is allowed
the "submit-app", he is actually unable to submit Yarn jobs at all.

The reason is found to be that the "implied grants" are indiscriminately incorporated into
allow/deny/allow-exception/deny-exception lists. Actually we need to differentiate two types
of implications. The first implication is "equivalent implication". The second is "unequivalent
implication". For the "ALL" permission, it is equivalent, meaning that "ALL" implies the all
implied permissions together, and vice versa. So DENY "ALL" will rid of any and all other
permissions from a user. For YARN's implication from "queue-admin" to "submit-app", it's not
equivalent. While "queue-admin" implies "submit-app", it is not the other way around; namely
that deny "admin-queue" to a user should not deny his "submit-app" permission. Thus the "implied
grants" should not be incorporated from the allow-exception/deny lists if they do not carry
the "all" semantics.


  agents-common/src/test/resources/policyengine/test_policyengine_yarn.json PRE-CREATION 

Diff: https://reviews.apache.org/r/56094/diff/


Regression, manual, and newly added automated tests.


Yan Zhou

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message