[ 
https://issues.apache.org/jira/browse/YARN-2310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100883#comment-14100883
 ] 

Zhijie Shen commented on YARN-2310:
-----------------------------------

Thanks for notifying me of that. Would you please check the other app-related 
getter methods? For example, getAppAttempts. It seems that we can access 
without any access control.

> Revisit the APIs in RM web services where user information can make difference
> ------------------------------------------------------------------------------
>
>                 Key: YARN-2310
>                 URL: https://issues.apache.org/jira/browse/YARN-2310
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager, webapp
>    Affects Versions: 3.0.0, 2.5.0
>            Reporter: Zhijie Shen
>
> After YARN-2247, RM web services can be sheltered by the authentication 
> filter, which can help to identify who the user is. With this information, we 
> should be able to fix the security problem of some existing APIs, such as 
> getApp, getAppAttempts, getApps. We should use the user information to check 
> the ACLs before returning the requested data to the user.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to