[
https://issues.apache.org/jira/browse/YARN-9039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16694446#comment-16694446
]
Suma Shivaprasad commented on YARN-9039:
----------------------------------------
Thanks for the review [~bibinchundatt]. Will make changes to address 1) and 3).
For 2) AdminAclManager and ApplicationACLsManager changes are not required.
-> YARN Logs CLI directly reads logs for finished apps from storage and without
this patch, it relies only on storage ACLs for restricting users from reading
another user's logs. FileSystems which support POSIX ACLs like HDFS can work
with this but this becomes an issue with Cloud storages like S3 where different
user's logs can reside in the same log aggregation bucket. The line of code I
removed was adding the logged in user as admin which is problematic in case of
YARN CLI - while testing with S3, unless there are object level ACLs, any user
can access any other user's logs if this change is not done. Let me know if
there are any concerns with this.
Will remove changes in ApplicationACLsManager.
> App ACLs are not validated when serving logs from Logs CLI/Yarn UI2
> -------------------------------------------------------------------
>
> Key: YARN-9039
> URL: https://issues.apache.org/jira/browse/YARN-9039
> Project: Hadoop YARN
> Issue Type: Bug
> Components: log-aggregation
> Reporter: Suma Shivaprasad
> Assignee: Suma Shivaprasad
> Priority: Critical
> Attachments: YARN-9039.1.patch, YARN-9039.2.patch
>
>
> App Acls are not being validated when serving logs through YARN CLI.
> This also applies while serving logs through YARN UIV2 through ATSV2 Log
> Webservice
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
