[
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811950#comment-16811950
]
Szilard Nemeth edited comment on YARN-9445 at 4/7/19 7:41 PM:
--------------------------------------------------------------
[~sunilg], [~bibinchundatt]:
I'm confused. Reading the 3.2.0 docs
([https://hadoop.apache.org/docs/r3.2.0/hadoop-yarn/hadoop-yarn-site/FairScheduler.html#Queue_Access_Control_Lists]
for FS/ACLs) says:
"Queue Access Control Lists (ACLs) allow administrators to control who may take
actions on particular queues. They are configured with the aclSubmitApps and
aclAdministerApps properties, which can be set per queue. Currently the only
supported administrative action is killing an application. An administrator may
also submit applications to it."
In this sense, aclAdministerApps not only gives permissions to execute admin
operations but also gives submission permissions to queues.
For me, not giving an administrator rights to everything seems controversial,
so the documentation is more logical. All in all, if we go with the direction
that admins don't get submission rights then we should also make sure the
documentation is in line with the decision.
I do agree with [~eyang] about restricting the default admin ACL to something
else than '*' but this requires a follow-up jira, I think.
was (Author: snemeth):
[~sunilg], [~bibinchundatt]:
I'm confused. Reading the 3.2.0 docs
([https://hadoop.apache.org/docs/r3.2.0/hadoop-yarn/hadoop-yarn-site/FairScheduler.html#Queue_Access_Control_Lists]
for FS/ACLs) says:
"Queue Access Control Lists (ACLs) allow administrators to control who may take
actions on particular queues. They are configured with the aclSubmitApps and
aclAdministerApps properties, which can be set per queue. Currently the only
supported administrative action is killing an application. An administrator may
also submit applications to it."
In this sense, aclAdministerApps not only gives permissions to execute admin
operations but also gives submission permissions to queues.
For me, not giving an administrator rights to everything seems controversial,
so the documentation is more logical. All in all, if we go with the direction
that admins son't get submiasion rights then we should alao make sure the
documentation is in line with the decision.
I do agree with [~eyang] about restricting the default admin ACL to aomething
else than '*' but this requires a follow-up jira, I think.
> yarn.admin.acl is futile
> ------------------------
>
> Key: YARN-9445
> URL: https://issues.apache.org/jira/browse/YARN-9445
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.0
> Reporter: Peter Simon
> Assignee: Gergely Pollak
> Priority: Major
> Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
> * Set yarn.admin.acl to "*".
> * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can
> submit to whatever pool.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
