Zhijie Shen commented on YARN-2310:

Thanks for notifying me of that. Would you please check the other app-related 
getter methods? For example, getAppAttempts. It seems that we can access 
without any access control.

> Revisit the APIs in RM web services where user information can make difference
> ------------------------------------------------------------------------------
>                 Key: YARN-2310
>                 URL: https://issues.apache.org/jira/browse/YARN-2310
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager, webapp
>    Affects Versions: 3.0.0, 2.5.0
>            Reporter: Zhijie Shen
> After YARN-2247, RM web services can be sheltered by the authentication 
> filter, which can help to identify who the user is. With this information, we 
> should be able to fix the security problem of some existing APIs, such as 
> getApp, getAppAttempts, getApps. We should use the user information to check 
> the ACLs before returning the requested data to the user.

This message was sent by Atlassian JIRA

Reply via email to