[ 
https://issues.apache.org/jira/browse/YARN-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14224844#comment-14224844
 ] 

Rohith commented on YARN-2894:
------------------------------

Consider scenario in following 
1. Yarn RM HA cluster is started with enabling ACL's. RM is in Active state.
2. Submit yarn application(app1), access this application from RM web ui.User 
is able to view the app1
3. Do transition ACTIVE --> STANDBY --> ACTIVE.
4. Submit another yarn application(app2). Try to access app2 link from RM web 
UI. It can not be viewed and throw NPE at RM log.

> When ACL's are enabled, if RM switches then application can not be viewed 
> from web.
> -----------------------------------------------------------------------------------
>
>                 Key: YARN-2894
>                 URL: https://issues.apache.org/jira/browse/YARN-2894
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.6.0
>            Reporter: Rohith
>            Assignee: Rohith
>             Fix For: 2.7.0
>
>
> Binding aclManager to RMWebApp would cause problem if RM is switched. There 
> could be some validation check may fail.
> I think , we should not bind aclManager for RMWebApp, instead we should get 
> from RM instance.
> In RMWebApp,
> {code}
>     if (rm != null) {
>       bind(ResourceManager.class).toInstance(rm);
>       bind(RMContext.class).toInstance(rm.getRMContext());
>       bind(ApplicationACLsManager.class).toInstance(
>           rm.getApplicationACLsManager());
>       bind(QueueACLsManager.class).toInstance(rm.getQueueACLsManager());
>     }
> {code}
> and in AppBlock#render below check may fail(Need to test and confirm)
> {code}
>    if (callerUGI != null
>         && !(this.aclsManager.checkAccess(callerUGI,
>                 ApplicationAccessType.VIEW_APP, app.getUser(), appID) ||
>              this.queueACLsManager.checkAccess(callerUGI,
>                 QueueACL.ADMINISTER_QUEUE, app.getQueue()))) {
>       puts("You (User " + remoteUser
>           + ") are not authorized to view application " + appID);
>       return;
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to