[ https://issues.apache.org/jira/browse/YARN-9225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750779#comment-16750779 ]
Jiandan Yang commented on YARN-9225: ------------------------------------- Setting root.acl_submit_applications and root.acl_administer_queue not empty also can resolve my problem. I suggest to add some example about configuring acl of queue. > user can submit applications even though they are not in the submit&admin acl > ----------------------------------------------------------------------------- > > Key: YARN-9225 > URL: https://issues.apache.org/jira/browse/YARN-9225 > Project: Hadoop YARN > Issue Type: Bug > Components: yarn > Reporter: Jiandan Yang > Assignee: Jiandan Yang > Priority: Major > Attachments: YARN-9225.001.patch > > > I submit MR job even though username is not in the submit&admin acl. > the admin&submit acl of test queue is yarn, and I submit app using username > of yangjiandan which is not in the acl. > I check related code and found the root cause is > ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent > queue when acl checking of leaf queue fails, but acl of root queue is > *ALL_ACL* in CapacitySchedulerConfiguration#getAcl, so acl checking can > always pass. > {code:java} > private boolean checkPermissionInternal(AccessType accessType, > PrivilegedEntity target, UserGroupInformation user) { > boolean ret = false; > Map<AccessType, AccessControlList> acls = allAcls.get(target); > if (acls != null) { > AccessControlList list = acls.get(accessType); > if (list != null) { > ret = list.isUserAllowed(user); > } > } > // does it need to check parent queue? > // recursively look up the queue to see if parent queue has the > permission. > if (target.getType() == EntityType.QUEUE && !ret) { > String queueName = target.getName(); > if (!queueName.contains(".")) { > return ret; > } > String parentQueueName = > queueName.substring(0, queueName.lastIndexOf(".")); > return checkPermissionInternal(accessType, > new PrivilegedEntity(target.getType(), parentQueueName), user); > } > return ret; > } > {code} > my configuration is: > yarn-site.xml: set scheduler is CapacityScheduler and enable acl > {code:java} > <property> > <name>yarn.acl.enable</name> > <value>true</value> > </property> > <property> > <name>yarn.admin.acl</name> > <value> </value> > </property> > <property> > <name>yarn.resourcemanager.scheduler.class</name> > > <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value> > </property> > {code} > capacity-scheduler.xml set submitAcl and adminAcl of test queue to yarn > {code:java} > <property> > <name>yarn.scheduler.capacity.root.queues</name> > <value>default,test</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.default.capacity</name> > <value>[memory=40960,vcores=100]</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.default.maximum-capacity</name> > <value>[memory=409600,vcores=480]</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.default.acl_submit_applications</name> > <value>yarn</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.default.acl_administer_queue</name> > <value>yarn</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.test.capacity</name> > <value>[memory=40960,vcores=100]</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.test.maximum-capacity</name> > <value>[memory=409600,vcores=480]</value> > </property> > <property> > <name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name> > <value>yarn</value> > </property> > <property> > <name>yarn.scheduler.capacity.root.test.acl_administer_queue</name> > <value>yarn</value> > </property> > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org