[jira] [Commented] (YARN-9445) yarn.admin.acl is futile

Mon, 08 Apr 2019 02:43:09 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812282#comment-16812282
 ] 

Gergely Pollak commented on YARN-9445:
--------------------------------------

[~sunilg], [~snemeth], [~eyang], [~bibinchundatt] thank you for you feedback!

Let me fix the issues mentioned by Szilard and reported by the jenkins jobs, 
also trying to find a more queue specific place for the modification.

However I agree with the opinion admin should have access to everything. We 
shouldn't worry about the admin exploiting it's new submission permission, 
because if someone with admin permission want's to exploit the system they can 
do it anyway. We cannot protect the system from it's own administrators.

Also it's worth to mention in FairScheduler queue admins can already submit 
applications, so this modifications just makes yarn.admin.acl a queue admin as 
well. And I really think we should not have 2 kinds of admins. If a user is 
granted administrative permissions on a queue level, it should be a queue admin 
only, however a global admin should be queue admin as well, it follows nicely 
the queue inherits it's parent's permission pattern.

And I strongly agree with [~eyang] on we should change the default value for 
the yarn.admin.acl, because I think it eaily can result in a really unsecure 
cluster, but of course that's not the scope of this jira, and it might have a 
large impact.

 

 

 

> yarn.admin.acl is futile
> ------------------------
>
>                 Key: YARN-9445
>                 URL: https://issues.apache.org/jira/browse/YARN-9445
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Peter Simon
>            Assignee: Gergely Pollak
>            Priority: Major
>         Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
>  * Set yarn.admin.acl to "*".
>  * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can 
> submit to whatever pool.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to