Wangda Tan commented on YARN-2911:

[~sevada], is this a same problem of YARN-2892, what are the differences 
between them?

> Issues with GetApplications request in secure cluster
> -----------------------------------------------------
>                 Key: YARN-2911
>                 URL: https://issues.apache.org/jira/browse/YARN-2911
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>            Reporter: Sevada Abraamyan
>            Assignee: Sevada Abraamyan
> Both problems arise from the fact that the RM stores the short username of 
> the app submitter. 
> 1) When the {{GetApplicationsRequest}} contains a 
> {{ApplicationsRequestScope.OWN}} filter, i.e. it wants to filter out all apps 
> not owned by the user. The RM attempts to match the full username of the 
> GetApplications requester against the stored short username to determine if 
> the requester is the owner of the app. In a secure cluster this can fail as 
> the two are not always equivalent. 
> 2) The {{GetApplicationsRequest}} can be used to filter the the set of app 
> returned to be only those which were submitted/owned by a set of users. Once 
> again there is a mismatch here between short/full usernames. Since the client 
> specifies the set of users, theoretically they can pass in a set of short 
> usernames which would makes this feature work in a secure cluster. However, 
> it is not expected that a client will have the correct 
> {{hadoop.security.auth_to_local}} configuration and therefore they can not 
> always be expected to get the correct short usernames. 

This message was sent by Atlassian JIRA

Reply via email to