[ https://issues.apache.org/jira/browse/YARN-578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13662504#comment-13662504 ]
Omkar Vinit Joshi commented on YARN-578: ---------------------------------------- Thanks vinod.. bq. Instead of matching messages in the exception block, why not separate the try {} catch {} block for the SecureIOUtils check? No.. as both of them are throwing IOException only (with different messages.. should we fix the exception type for both of them??) and they will occur for the same SecureIOUtils.open call. bq. The exception message is confusing. Let us say that the authenticated user is foo and the application-submitter is bar. The message talks about bar not having permissions to read the file which is totally confusing to foo. We should instead say something in the lines of "The log-file generated by the application-submitter foo has invalid permissions, so not showing etc.." updated the message bq. You don't need the unnecessary string concatenation: ' doesn't have permissions to read " + "log file :" Yeah fixed it. bq. LogAggregationService can ignore these permissions and upload sensitive files! Please fix this and write a test to verify that it doesn't happen. Fixed. added test bq. It seems like when logs are deleted, we are using the correct user to delete them. But can you write tests to validate this for two cases (1) when log-aggregation is enabled and (2) when it isn't. 1) added test for it. 2) is already verified. > NodeManager should use SecureIOUtils for serving and aggregating logs > --------------------------------------------------------------------- > > Key: YARN-578 > URL: https://issues.apache.org/jira/browse/YARN-578 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Vinod Kumar Vavilapalli > Assignee: Omkar Vinit Joshi > Attachments: yarn-578-20130426.patch, YARN-578-20130506.patch, > YARN-578-20130520.patch > > > Log servlets for serving logs and the ShuffleService for serving intermediate > outputs both should use SecureIOUtils for avoiding symlink attacks. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira