[jira] [Commented] (YARN-9225) user can submit applications even though they are not in the submit&admin acl

Sunil Govindan (JIRA) Thu, 24 Jan 2019 01:59:07 -0800


    [ 
https://issues.apache.org/jira/browse/YARN-9225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750958#comment-16750958
 ]


Sunil Govindan commented on YARN-9225:
--------------------------------------

[~yangjiandan]

As per me, current behavior of YARN is fine. To enhance security, you can set 
the root.acl_administer_queue to an empty value and restart YARN. 

Its always designed to go up and check parent permission, as it is easy to set 
some acl at top level queue so that all child queue gets same.

 

Default install cannot enforce any additional specific acl check, and hence one 
should set to empty value from * in those queues which doesnt need ACL 
enforcement.

> user can submit applications even though they are not in the submit&admin acl
> -----------------------------------------------------------------------------
>
>                 Key: YARN-9225
>                 URL: https://issues.apache.org/jira/browse/YARN-9225
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>            Reporter: Jiandan Yang 
>            Assignee: Jiandan Yang 
>            Priority: Major
>         Attachments: YARN-9225.001.patch
>
>
> I submit MR job even though  username is not in the submit&admin acl.
> the admin&submit acl of test queue is yarn, and I submit app using username 
> of yangjiandan which is not in the acl.
> I check related code and found the root cause is 
> ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent 
> queue when acl checking of leaf queue fails, but acl of root queue is 
> *ALL_ACL* in CapacitySchedulerConfiguration#getAcl, so acl checking can 
> always pass.
> {code:java}
>   private boolean checkPermissionInternal(AccessType accessType,
>       PrivilegedEntity target, UserGroupInformation user) {
>     boolean ret = false;
>     Map<AccessType, AccessControlList> acls = allAcls.get(target);
>     if (acls != null) {
>       AccessControlList list = acls.get(accessType);
>       if (list != null) {
>         ret = list.isUserAllowed(user);
>       }
>     }
>     // does it need to check parent queue?
>     // recursively look up the queue to see if parent queue has the 
> permission.
>     if (target.getType() == EntityType.QUEUE && !ret) {
>       String queueName = target.getName();
>       if (!queueName.contains(".")) {
>         return ret;
>       }
>       String parentQueueName =
>           queueName.substring(0, queueName.lastIndexOf("."));
>       return checkPermissionInternal(accessType,
>           new PrivilegedEntity(target.getType(), parentQueueName), user);
>     }
>     return ret;
>   }
> {code}
> my configuration is:
> yarn-site.xml:  set scheduler is CapacityScheduler and enable acl
> {code:java}
> <property>
>   <name>yarn.acl.enable</name>
>   <value>true</value>
> </property>
> <property>
>   <name>yarn.admin.acl</name>
>   <value> </value>
> </property>
>   <property>
>     <name>yarn.resourcemanager.scheduler.class</name>
>   
> <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value>
>   </property>
> {code}
> capacity-scheduler.xml set submitAcl and adminAcl  of  test queue to yarn
> {code:java}
>   <property>
>     <name>yarn.scheduler.capacity.root.queues</name>
>     <value>default,test</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.default.capacity</name>
>     <value>[memory=40960,vcores=100]</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.default.maximum-capacity</name>
>     <value>[memory=409600,vcores=480]</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
>     <value>yarn</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
>     <value>yarn</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.test.capacity</name>
>     <value>[memory=40960,vcores=100]</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.test.maximum-capacity</name>
>     <value>[memory=409600,vcores=480]</value>
>   </property>
>   <property>
>     <name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name>
>     <value>yarn</value>
>   </property>
>   <property>
>     <name>yarn.scheduler.capacity.root.test.acl_administer_queue</name>
>     <value>yarn</value>
>   </property>
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Commented] (YARN-9225) user can submit applications even though they are not in the submit&admin acl

Reply via email to