[jira] [Commented] (YARN-9445) yarn.admin.acl is futile

Sun, 07 Apr 2019 13:10:46 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811958#comment-16811958
 ] 

Eric Yang commented on YARN-9445:
---------------------------------

[~sunilg] [~bibinchundatt] Security should be designed to be permissive from 
admin point of view instead of mutually exclusive.  Security may appear as 
mutually exclusive (allow or disallowed) from user's point of view.  However, 
proper security design should be permissive from admin point of view.  Admin 
must have ability to perform the same operation if user is not available to 
carry out the operation.

{quote}a) yarn.admin.acls=yarn. and for e, 
<prefix>.queueA.acl_submit_applications=john. Now user "john" can submit app to 
queueA. "yarn" user should not be able to submit.{quote}

I do not believe disallowing system admin to submit job improves security in 
the above statement.  It only create inconvenience for impersonation that YARN 
service user credential can not submit job on behave of the user.  Admin can 
always run "sudo" to submit the job for the user.  Hence, this artificially 
designed mutually exclusive constraint is a no-op security feature.  Some 
improvement in this area would make the system easier to operate and avoid 
paradox that prevent admin from fixing user's problem.

> yarn.admin.acl is futile
> ------------------------
>
>                 Key: YARN-9445
>                 URL: https://issues.apache.org/jira/browse/YARN-9445
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Peter Simon
>            Assignee: Gergely Pollak
>            Priority: Major
>         Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
>  * Set yarn.admin.acl to "*".
>  * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can 
> submit to whatever pool.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to