[
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811550#comment-16811550
]
Sunil Govindan edited comment on YARN-9445 at 4/6/19 10:40 AM:
---------------------------------------------------------------
Hi [~shuzirra]
To me, this is not a clean fix.
{code:java}
if (isAdmin(user) && accessType == AccessType.ADMINISTER_QUEUE) {
return true;
}{code}
Few reasons for same:
# In YARN, we have different ACL managers. QueueACLsManager, AdminACLsManager,
ApplicationACLsManager etc. Each of which will help to do certain defined ACL
verification during app submission, read api's such as queue info, list apps
etc. We need to use these effectively to cover all use cases.
# I checked the caller of checkAccess, and some of the managers are checking
the adminAcls separately. But for callers such as FS and CS, this check is not
there.
I am taking an example, with 2 cases
a) yarn.admin.acls=yarn. and for e,
<prefix>.queueA._acl_submit_applications=john._ Now user "john" can submit app
to queueA. "yarn" user should not be able to submit.
b) yarn.admin.acls=*. and for e,
<prefix>.queueA._acl_submit_applications=john._ Now user "john" can submit app
to queueA. "smith" user should not be able to submit.
As per my understanding, admin acl's are added for YARN admin ops if I remember
correctly. It was not clubbed with Queue ops as queue acl's were different. I
am open to discuss on this whether we can improve or not, however i feel it may
break some compatibility. Please correct me if I am wrong.
Looping few more folks who worked on this earlier [~leftnoteasy]
[~rohithsharma] [~bibinchundatt] [~vinodkv]
was (Author: sunilg):
Hi [Gergely
Pollak|applewebdata://CDA28838-9D89-410B-A83F-9AF88E344D7F/jira/secure/ViewProfile.jspa?name=shuzirra]
To me, this is not a clean fix.
{code:java}
if (isAdmin(user) && accessType == AccessType.ADMINISTER_QUEUE) {
return true;
}{code}
Few reasons for same:
# In YARN, we have different ACL managers. QueueACLsManager, AdminACLsManager,
ApplicationACLsManager etc. Each of which will help to do certain defined ACL
verification during app submission, read api's such as queue info, list apps
etc. We need to use these effectively to cover all use cases.
# I checked the caller of checkAccess, and some of the managers are checking
the adminAcls separately. But for callers such as FS and CS, this check is not
there.
I am taking an example, with 2 cases
a) yarn.admin.acls=yarn. and for e,
<prefix>.queueA._acl_submit_applications=john._ Now user "john" can submit app
to queueA. "yarn" user should not be able to submit.
b) yarn.admin.acls=*. and for e,
<prefix>.queueA._acl_submit_applications=john._ Now user "john" can submit app
to queueA. "smith" user should not be able to submit.
As per my understanding, admin acl's are added for YARN admin ops if I remember
correctly. It was not clubbed with Queue ops as queue acl's were different. I
am open to discuss on this whether we can improve or not, however i feel it may
break some compatibility. Please correct me if I am wrong.
Looping few more folks who worked on this earlier [~leftnoteasy]
[~rohithsharma] [~bibinchundatt] [~vinodkv]
> yarn.admin.acl is futile
> ------------------------
>
> Key: YARN-9445
> URL: https://issues.apache.org/jira/browse/YARN-9445
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.0
> Reporter: Peter Simon
> Assignee: Gergely Pollak
> Priority: Major
> Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
> * Set yarn.admin.acl to "*".
> * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can
> submit to whatever pool.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
