[
https://issues.apache.org/jira/browse/YARN-9385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792034#comment-16792034
]
Eric Yang commented on YARN-9385:
---------------------------------
Server side JVM must use UserGroupInformation class to resolve current user for
proper resolution of incoming user. In client side JVM (single user JVM),
using system property is more secure to prevent JVM to impersonate other user.
This is the reason that ApiServiceClient is using Java system property to look
up user when simple security is used. The degree of difficulty to spoof
HADOOP_USER_NAME vs java -Duser.name= is only slightly harder for overriding
system property, and easier to be found. If we want to change the code for
consistency reason, it can be done.
> YARN Services with simple authentication doesn't respect current UGI
> --------------------------------------------------------------------
>
> Key: YARN-9385
> URL: https://issues.apache.org/jira/browse/YARN-9385
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: security, yarn-native-services
> Reporter: Todd Lipcon
> Priority: Major
>
> The ApiServiceClient implementation appends the current username to the
> request URL for "simple" authentication. However, that username is derived
> from the 'user.name' system property instead of the current UGI. That means
> that username spoofing via the 'HADOOP_USER_NAME' variable doesn't take
> effect for HTTP-based calls in the same manner that it does for RPC-based
> calls.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
