[
https://issues.apache.org/jira/browse/YARN-10870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Szilard Nemeth reassigned YARN-10870:
-------------------------------------
Assignee: Gergely Pollák (was: Siddharth Ahuja)
> Missing user filtering check -> yarn.webapp.filter-entity-list-by-user for RM
> Scheduler page
> --------------------------------------------------------------------------------------------
>
> Key: YARN-10870
> URL: https://issues.apache.org/jira/browse/YARN-10870
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn
> Reporter: Siddharth Ahuja
> Assignee: Gergely Pollák
> Priority: Major
> Fix For: 3.4.0, 3.3.2, 3.2.4
>
> Attachments: YARN-10870.001.patch, YARN-10870.002.patch,
> YARN-10870.branch-3.1.002.patch, YARN-10870.branch-3.2.002.patch,
> YARN-10870.branch-3.3.002.patch
>
>
> Non-permissible users are (incorrectly) able to view application submitted by
> another user on the RM's Scheduler UI (not Applications UI), where
> _non-permissible users_ are non-application-owners and are not present in the
> application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL
> as a Queue admin to which this job was submitted to" (see [1] where both the
> filter setting introduced by YARN-8319 & ACL checks are performed):
> The issue can be reproduced easily by having the setting
> {{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.
> The above disallows non-permissible users from viewing another user's
> applications in the Applications page, but not in the Scheduler's page.
> The filter setting seems to be getting checked only on the getApps() call but
> not while rendering the apps information on the Scheduler page. This seems to
> be a "missed" feature from YARN-8319.
> Following pre-requisites are needed to reproduce the issue:
> * Kerberized cluster,
> * SPNEGO enabled for HDFS & YARN,
> * Add test users - systest and user1 on all nodes.
> * Add kerberos princs for the above users.
> * Create HDFS user dirs for above users and chown them appropriately.
> * Run a sample MR Sleep job and test.
> Steps to reproduce the issue:
> * kinit as "systest" user and run a sample MR sleep job from one of the nodes
> in the cluster:
> {code}
> yarn jar <path_to_hadoop-mapreduce-client-jobclient-tests.jar> sleep -m 1 -mt
> 3600000
> {code}
> * kinit as "user1" from Mac as an example (this assumes you've copied the
> /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for
> Spengo auth).
> * Open the Applications page. user1 cannot view the job being run by systest.
> This is correct.
> * Open the Scheduler page. user1 *CAN* view the job being run by systest.
> This is *INCORRECT*.
> [1]
> https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
