[jira] [Commented] (YUNIKORN-2937) Dynamic queue has no permissions

Mon, 21 Oct 2024 04:50:24 -0700 


    [ 
https://issues.apache.org/jira/browse/YUNIKORN-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891516#comment-17891516
 ] 

Wilfred Spiegelenburg commented on YUNIKORN-2937:
-------------------------------------------------

The ACL setup is defined as a fail closed. Unless you explicitly give 
permission it is denied. That is the way it fails securely. Instead of failing 
open, which is open to abuse, you need to fail closed and explicitly open up.

The example config opens up the root which gives you access to all queues. That 
is not something you should do in a secure production environment. You open 
queues at a level as close to the leaf queue as possible and leave the root 
closed.

> Dynamic queue has no permissions
> --------------------------------
>
>                 Key: YUNIKORN-2937
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-2937
>             Project: Apache YuniKorn
>          Issue Type: Bug
>          Components: core - scheduler
>    Affects Versions: 1.3.0, 1.5.2
>            Reporter: Xiaobao Wu
>            Priority: Minor
>         Attachments: yunikorn-confi-without queue.yaml.png
>
>
> I have the following queue configuration :
> {code:java}
>   queues.yaml: |
>     partitions:
>     - name: default
>       queues:
>       - name: root
>         parent: true
>         queues:
>         - name: spark-test
>           resources:
>             guaranteed:
>               memory: 1Gi
>               vcore: "1"
>             max:
>               memory: 40Gi
>               vcore: "10"
>           submitacl: 'master'
>       placementrules:
>       - name: tag
>         create: true
>         value: namespace {code}
> When I submit the job to the namespace {*}dev{*}, because the placement rule 
> YK will submit the job to the ' dynamic ' queue {*}root.dev{*}. However, I 
> found that if the root queue is not configured to submitacl as ' * ', the job 
> will be rejected ; this job can be submitted successfully only if the root 
> queue configures submitacl as ' * ' or *does not adds* queues.yaml content in 
> yunikorn-configs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to