Sunil G commented on YARN-2310:

Yes. getAppAttempts and getAppState could also fall in to this ACL check. Only 
problem is, *getAppAttempts* does not have "HttpServletRequest hsr Context". 
{code}  public AppAttemptsInfo getAppAttempts(@PathParam("appid") String 
Hence getting UGI information without HttpServletRequest  is not possible for 
getAppAttempts api.

> Revisit the APIs in RM web services where user information can make difference
> ------------------------------------------------------------------------------
>                 Key: YARN-2310
>                 URL: https://issues.apache.org/jira/browse/YARN-2310
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager, webapp
>    Affects Versions: 3.0.0, 2.5.0
>            Reporter: Zhijie Shen
> After YARN-2247, RM web services can be sheltered by the authentication 
> filter, which can help to identify who the user is. With this information, we 
> should be able to fix the security problem of some existing APIs, such as 
> getApp, getAppAttempts, getApps. We should use the user information to check 
> the ACLs before returning the requested data to the user.

This message was sent by Atlassian JIRA

Reply via email to