[jira] [Resolved] (YUNIKORN-2938) ACL check of the queue is unreasonable

Tue, 07 Jan 2025 00:07:19 -0800 


     [ 
https://issues.apache.org/jira/browse/YUNIKORN-2938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wilfred Spiegelenburg resolved YUNIKORN-2938.
---------------------------------------------
    Resolution: Duplicate

This is a duplicate of YUNIKORN-2939, same description in that jira

> ACL check of the queue is unreasonable
> --------------------------------------
>
>                 Key: YUNIKORN-2938
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-2938
>             Project: Apache YuniKorn
>          Issue Type: Bug
>          Components: core - scheduler
>    Affects Versions: 1.3.0, 1.5.2
>            Reporter: Xiaobao Wu
>            Priority: Minor
>
> I have the following queue configuration :
> {code:java}
>   queues.yaml: |
>     partitions:
>     - name: default
>       queues:
>       - name: root
>         parent: true
>         submitacl: '*'
>         queues:
>         - name: spark-test
>           resources:
>             guaranteed:
>               memory: 1Gi
>               vcore: "1"
>             max:
>               memory: 40Gi
>               vcore: "10"
>           submitacl: 'master'
>       placementrules:
>       - name: tag
>         create: true
>         value: namespace {code}
> I found that when I set the *root* submitacl to ' * ', the *root.spark-test* 
> submitacl seems to be invalid and seems to allow any user to submit. After I 
> looked at the code, I found a strange logical check of queue permissions :
> {code:java}
> func (sq *Queue) CheckSubmitAccess(user security.UserGroup) bool {
>     if common.IsRecoveryQueue(sq.QueuePath) {
>        // recovery queue can never pass ACL checks
>        return false
>     }
>     sq.RLock()
>     allow := sq.submitACL.CheckAccess(user) || sq.adminACL.CheckAccess(user)
>     sq.RUnlock()
>     if !allow && sq.parent != nil {
>        allow = sq.parent.CheckSubmitAccess(user)
>     }
>     return allow
> } {code}
> It can be seen that if the current subqueue does not allow the user to submit 
> jobs to this subqueue, it will recursively check its parent queue. I think 
> this is unreasonable, why the priority of the user rights of the parent queue 
> is higher than that of the child queue, which will cause some user rights 
> management problems.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: dev-h...@yunikorn.apache.org

Reply via email to