[
https://issues.apache.org/jira/browse/YARN-2911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524095#comment-14524095
]
Wangda Tan commented on YARN-2911:
----------------------------------
[~sevada], is this a same problem of YARN-2892, what are the differences
between them?
> Issues with GetApplications request in secure cluster
> -----------------------------------------------------
>
> Key: YARN-2911
> URL: https://issues.apache.org/jira/browse/YARN-2911
> Project: Hadoop YARN
> Issue Type: Bug
> Components: resourcemanager
> Reporter: Sevada Abraamyan
> Assignee: Sevada Abraamyan
>
> Both problems arise from the fact that the RM stores the short username of
> the app submitter.
> 1) When the {{GetApplicationsRequest}} contains a
> {{ApplicationsRequestScope.OWN}} filter, i.e. it wants to filter out all apps
> not owned by the user. The RM attempts to match the full username of the
> GetApplications requester against the stored short username to determine if
> the requester is the owner of the app. In a secure cluster this can fail as
> the two are not always equivalent.
> 2) The {{GetApplicationsRequest}} can be used to filter the the set of app
> returned to be only those which were submitted/owned by a set of users. Once
> again there is a mismatch here between short/full usernames. Since the client
> specifies the set of users, theoretically they can pass in a set of short
> usernames which would makes this feature work in a secure cluster. However,
> it is not expected that a client will have the correct
> {{hadoop.security.auth_to_local}} configuration and therefore they can not
> always be expected to get the correct short usernames.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
