[jira] [Commented] (YARN-2310) Revisit the APIs in RM web services where user information can make difference
[
https://issues.apache.org/jira/browse/YARN-2310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100963#comment-14100963
]
Sunil G commented on YARN-2310:
---
Yes. getAppAttempts and getAppState could also fall in to this ACL check. Only
problem is, *getAppAttempts* does not have "HttpServletRequest hsr Context".
{code} public AppAttemptsInfo getAppAttempts(@PathParam("appid") String
appId){code}
Hence getting UGI information without HttpServletRequest is not possible for
getAppAttempts api.
> Revisit the APIs in RM web services where user information can make difference
> --
>
> Key: YARN-2310
> URL: https://issues.apache.org/jira/browse/YARN-2310
> Project: Hadoop YARN
> Issue Type: Bug
> Components: resourcemanager, webapp
>Affects Versions: 3.0.0, 2.5.0
>Reporter: Zhijie Shen
>
> After YARN-2247, RM web services can be sheltered by the authentication
> filter, which can help to identify who the user is. With this information, we
> should be able to fix the security problem of some existing APIs, such as
> getApp, getAppAttempts, getApps. We should use the user information to check
> the ACLs before returning the requested data to the user.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (YARN-2310) Revisit the APIs in RM web services where user information can make difference
[ https://issues.apache.org/jira/browse/YARN-2310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100883#comment-14100883 ] Zhijie Shen commented on YARN-2310: --- Thanks for notifying me of that. Would you please check the other app-related getter methods? For example, getAppAttempts. It seems that we can access without any access control. > Revisit the APIs in RM web services where user information can make difference > -- > > Key: YARN-2310 > URL: https://issues.apache.org/jira/browse/YARN-2310 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager, webapp >Affects Versions: 3.0.0, 2.5.0 >Reporter: Zhijie Shen > > After YARN-2247, RM web services can be sheltered by the authentication > filter, which can help to identify who the user is. With this information, we > should be able to fix the security problem of some existing APIs, such as > getApp, getAppAttempts, getApps. We should use the user information to check > the ACLs before returning the requested data to the user. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (YARN-2310) Revisit the APIs in RM web services where user information can make difference
[ https://issues.apache.org/jira/browse/YARN-2310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100874#comment-14100874 ] Sunil G commented on YARN-2310: --- YARN-1867 has added queue ACL checks, and hasAccess is already invoked by getApp and getApps api's. If queue ACL access is available, then information of an application such as *start/finished/elapsed time* and *AM container information* will be filled in to AppInfo object. Do you mean some more extra information is taken from customized yarn filter added in YARN-2247, could you please help to give some more insight. > Revisit the APIs in RM web services where user information can make difference > -- > > Key: YARN-2310 > URL: https://issues.apache.org/jira/browse/YARN-2310 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager, webapp >Affects Versions: 3.0.0, 2.5.0 >Reporter: Zhijie Shen > > After YARN-2247, RM web services can be sheltered by the authentication > filter, which can help to identify who the user is. With this information, we > should be able to fix the security problem of some existing APIs, such as > getApp, getAppAttempts, getApps. We should use the user information to check > the ACLs before returning the requested data to the user. -- This message was sent by Atlassian JIRA (v6.2#6252)
