[
https://issues.apache.org/jira/browse/YARN-9225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750779#comment-16750779
]
Jiandan Yang commented on YARN-9225:
-------------------------------------
Setting root.acl_submit_applications and root.acl_administer_queue not empty
also can resolve my problem.
I suggest to add some example about configuring acl of queue.
> user can submit applications even though they are not in the submit&admin acl
> -----------------------------------------------------------------------------
>
> Key: YARN-9225
> URL: https://issues.apache.org/jira/browse/YARN-9225
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn
> Reporter: Jiandan Yang
> Assignee: Jiandan Yang
> Priority: Major
> Attachments: YARN-9225.001.patch
>
>
> I submit MR job even though username is not in the submit&admin acl.
> the admin&submit acl of test queue is yarn, and I submit app using username
> of yangjiandan which is not in the acl.
> I check related code and found the root cause is
> ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent
> queue when acl checking of leaf queue fails, but acl of root queue is
> *ALL_ACL* in CapacitySchedulerConfiguration#getAcl, so acl checking can
> always pass.
> {code:java}
> private boolean checkPermissionInternal(AccessType accessType,
> PrivilegedEntity target, UserGroupInformation user) {
> boolean ret = false;
> Map<AccessType, AccessControlList> acls = allAcls.get(target);
> if (acls != null) {
> AccessControlList list = acls.get(accessType);
> if (list != null) {
> ret = list.isUserAllowed(user);
> }
> }
> // does it need to check parent queue?
> // recursively look up the queue to see if parent queue has the
> permission.
> if (target.getType() == EntityType.QUEUE && !ret) {
> String queueName = target.getName();
> if (!queueName.contains(".")) {
> return ret;
> }
> String parentQueueName =
> queueName.substring(0, queueName.lastIndexOf("."));
> return checkPermissionInternal(accessType,
> new PrivilegedEntity(target.getType(), parentQueueName), user);
> }
> return ret;
> }
> {code}
> my configuration is:
> yarn-site.xml: set scheduler is CapacityScheduler and enable acl
> {code:java}
> <property>
> <name>yarn.acl.enable</name>
> <value>true</value>
> </property>
> <property>
> <name>yarn.admin.acl</name>
> <value> </value>
> </property>
> <property>
> <name>yarn.resourcemanager.scheduler.class</name>
>
> <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value>
> </property>
> {code}
> capacity-scheduler.xml set submitAcl and adminAcl of test queue to yarn
> {code:java}
> <property>
> <name>yarn.scheduler.capacity.root.queues</name>
> <value>default,test</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.capacity</name>
> <value>[memory=40960,vcores=100]</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.maximum-capacity</name>
> <value>[memory=409600,vcores=480]</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
> <value>yarn</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
> <value>yarn</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.test.capacity</name>
> <value>[memory=40960,vcores=100]</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.test.maximum-capacity</name>
> <value>[memory=409600,vcores=480]</value>
> </property>
> <property>
> <name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name>
> <value>yarn</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.test.acl_administer_queue</name>
> <value>yarn</value>
> </property>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
