[
https://issues.apache.org/jira/browse/YARN-707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13753029#comment-13753029
]
Jason Lowe commented on YARN-707:
---------------------------------
Thanks for the review, Vinod.
I manually tested this on a secure 4-node cluster with MAPREDUCE-5475 on top of
the patch. I verified that a user could submit jobs and the submit client
could continue to monitor them. Also verified that another user with VIEW
access but not MODIFY access could not kill the job due to the ACL checks added
in MAPREDUCE-5475. I also verified via enabling debug logging in the AM that
the user name as seen by the MRAppMaster for the connecting client was the name
of the connecting client instead of the app submitter or appId.
As far as the UGI thing goes, I thought about adding it as a parameter.
However not all callers have a UGI so it pushes the problem upwards. I can
still make that change if desired.
> Add user info in the YARN ClientToken
> -------------------------------------
>
> Key: YARN-707
> URL: https://issues.apache.org/jira/browse/YARN-707
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Bikas Saha
> Assignee: Jason Lowe
> Priority: Blocker
> Fix For: 3.0.0, 2.1.1-beta
>
> Attachments: YARN-707-20130822.txt, YARN-707-20130827.txt,
> YARN-707-20130828-2.txt, YARN-707-20130828.txt
>
>
> If user info is present in the client token then it can be used to do limited
> authz in the AM.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
