[
https://issues.apache.org/jira/browse/YARN-9385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16791981#comment-16791981
]
Todd Lipcon commented on YARN-9385:
-----------------------------------
I noticed that the 'user.name' request parameter setting is done in two
different ways in this file. In the getRMWebAddress() function it's correctly
using UserGroupInformation to get the username, whereas in
'appendUserNameIfRequired()' it's using the Java system property. It seems
replacing the use of the system property with the UGI-based short name in
appendUserNameIfRequired() is the way to fix this.
However, I noticed one other inconsistency: appendUserNameIfRequired() is
basing its decision whether to append the username on the configuration of the
http authentication configuration variable, whereas getRMWebAddress is basing
it on whether Kerberos is enabled. Which of the two is correct? It seems like
probably the former (the HTTP-specific setting) is more appropriate.
> YARN Services with simple authentication doesn't respect current UGI
> --------------------------------------------------------------------
>
> Key: YARN-9385
> URL: https://issues.apache.org/jira/browse/YARN-9385
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: security, yarn-native-services
> Reporter: Todd Lipcon
> Priority: Major
>
> The ApiServiceClient implementation appends the current username to the
> request URL for "simple" authentication. However, that username is derived
> from the 'user.name' system property instead of the current UGI. That means
> that username spoofing via the 'HADOOP_USER_NAME' variable doesn't take
> effect for HTTP-based calls in the same manner that it does for RPC-based
> calls.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
