[jira] [Comment Edited] (YARN-9445) yarn.admin.acl is futile

Fri, 05 Apr 2019 10:17:51 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811062#comment-16811062
 ] 

Eric Yang edited comment on YARN-9445 at 4/5/19 5:16 PM:
---------------------------------------------------------

[~shuzirra] Thank you for the patch.  From code logic point of view, [~snemeth] 
already covered the review.  From security point of view, it would be good to 
change yarn-default.xml yarn.admin.acl from * to current running user for yarn. 
 With default configuration, the cluster is not exposed as wide opened with the 
behavior change in this patch.  Maybe yarn.admin.acl set to empty can be imply 
the current running user is the admin?  This may help to prevent bot from 
taking control of the cluster before admin secure the cluster properly.


was (Author: eyang):
[~shuzirra] Thank you for the patch.  From code logic point of view, [~snemeth] 
already covered the review.  From security point of view, it would be good to 
change yarn-default.xml yarn.admin.acl from * to current running user for yarn. 
 With default configuration, the cluster is not exposed as wide opened with the 
behavior change in this patch.
Maybe yarn.admin.acl set to empty can be imply the current running user is the 
admin.  This may help to prevent bot from taking control of the cluster before 
admin secure the cluster properly.

> yarn.admin.acl is futile
> ------------------------
>
>                 Key: YARN-9445
>                 URL: https://issues.apache.org/jira/browse/YARN-9445
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Peter Simon
>            Assignee: Gergely Pollak
>            Priority: Major
>         Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
>  * Set yarn.admin.acl to "*".
>  * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can 
> submit to whatever pool.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to