[ https://issues.apache.org/jira/browse/YARN-2911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524095#comment-14524095 ]
Wangda Tan commented on YARN-2911: ---------------------------------- [~sevada], is this a same problem of YARN-2892, what are the differences between them? > Issues with GetApplications request in secure cluster > ----------------------------------------------------- > > Key: YARN-2911 > URL: https://issues.apache.org/jira/browse/YARN-2911 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager > Reporter: Sevada Abraamyan > Assignee: Sevada Abraamyan > > Both problems arise from the fact that the RM stores the short username of > the app submitter. > 1) When the {{GetApplicationsRequest}} contains a > {{ApplicationsRequestScope.OWN}} filter, i.e. it wants to filter out all apps > not owned by the user. The RM attempts to match the full username of the > GetApplications requester against the stored short username to determine if > the requester is the owner of the app. In a secure cluster this can fail as > the two are not always equivalent. > 2) The {{GetApplicationsRequest}} can be used to filter the the set of app > returned to be only those which were submitted/owned by a set of users. Once > again there is a mismatch here between short/full usernames. Since the client > specifies the set of users, theoretically they can pass in a set of short > usernames which would makes this feature work in a secure cluster. However, > it is not expected that a client will have the correct > {{hadoop.security.auth_to_local}} configuration and therefore they can not > always be expected to get the correct short usernames. -- This message was sent by Atlassian JIRA (v6.3.4#6332)