GitHub user lhaiesp opened a pull request:
https://github.com/apache/samza/pull/592
SAMZA-1794: setting application acl in launch context
Currently we don't set application acl for container launch context. See
https://hadoop.apache.org/docs/r2.6.4/api/org/apache/hadoop/yarn/api/records/ContainerLaunchContext.html#setApplicationACLs(java.util.Map)
This could potentially cause problem if samza job is running on a secured
YARN cluster. Say user A submits the job, then by default only user A can view
the log and the status of the job. Even worse case is that user A submits the
job through some proxy account, then even user A herself/himself couldn't
access to logs/status of the application.
We need to make some changes for the YARN application submission to set
application acls in launch context as configured.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/lhaiesp/samza master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/samza/pull/592.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #592
----
commit 6f11c2c0d3dd2b96b3261174b068dae75a2fb2b3
Author: Hai Lu <halu@...>
Date: 2018-07-31T22:27:03Z
SAMZA-1794: setting application acl in launch context for secured YARN
cluster
----
---
