[
https://issues.apache.org/jira/browse/YUNIKORN-2939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910546#comment-17910546
]
Wilfred Spiegelenburg commented on YUNIKORN-2939:
-------------------------------------------------
ACL are allowing access, not denying access.
If you have access to the parent queue you also have access to the child. If a
queue has no ACL set it does not add any new users at that level. Access to the
queue is the sum of the users allowed in the hierarchy.
For your use case instead of providing everyone access to to root queue you
specify access to the level below it and do not set an ACL on the root. The
default configuration sets a wildcard at the root to provide a working
configuration. In a production system you probably want to change that to a
queue at a lower level. It is not a requirement to have the wildcard at the
root.
> ACL check of the queue is unreasonable
> --------------------------------------
>
> Key: YUNIKORN-2939
> URL: https://issues.apache.org/jira/browse/YUNIKORN-2939
> Project: Apache YuniKorn
> Issue Type: Bug
> Components: core - scheduler
> Affects Versions: 1.3.0, 1.5.2
> Reporter: Xiaobao Wu
> Priority: Minor
>
> I have the following queue configuration :
> {code:java}
> queues.yaml: |
> partitions:
> - name: default
> queues:
> - name: root
> parent: true
> submitacl: '*'
> queues:
> - name: spark-test
> resources:
> guaranteed:
> memory: 1Gi
> vcore: "1"
> max:
> memory: 40Gi
> vcore: "10"
> submitacl: 'master'
> placementrules:
> - name: tag
> create: true
> value: namespace {code}
> I found that when I set the *root* submitacl to ' * ', the *root.spark-test*
> submitacl seems to be invalid and seems to allow any user to submit. After I
> looked at the code, I found a strange logical check of queue permissions :
> {code:java}
> func (sq *Queue) CheckSubmitAccess(user security.UserGroup) bool {
> if common.IsRecoveryQueue(sq.QueuePath) {
> // recovery queue can never pass ACL checks
> return false
> }
> sq.RLock()
> allow := sq.submitACL.CheckAccess(user) || sq.adminACL.CheckAccess(user)
> sq.RUnlock()
> if !allow && sq.parent != nil {
> allow = sq.parent.CheckSubmitAccess(user)
> }
> return allow
> } {code}
> It can be seen that if the current subqueue does not allow the user to submit
> jobs to this subqueue, it will recursively check its parent queue. I think
> this is unreasonable, why the priority of the user rights of the parent queue
> is higher than that of the child queue, which will cause some user rights
> management problems.
> For example, in this case, if I want to indicate that any user has permission
> to submit to the root queue, only the master user has permission to submit to
> root.spark-test, it seems to be difficult to represent.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
