[
https://issues.apache.org/jira/browse/YARN-3855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14602308#comment-14602308
]
Allen Wittenauer commented on YARN-3855:
----------------------------------------
bq. we do see some use cases that people want their cluster secure but not the
web UI.
Just because people want it, doesn't mean it's a valid configuration. By
enabling insecure browsing on the YARN UI on a secure cluster with ACL
management setup, you've essentially opened up a security hole.
bq. which is what ATS is currently doing.
Then ATS also has a security hole.
> If acl is enabled and http.authentication.type is simple, user cannot view
> the app page in default setup
> --------------------------------------------------------------------------------------------------------
>
> Key: YARN-3855
> URL: https://issues.apache.org/jira/browse/YARN-3855
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Jian He
> Assignee: Jian He
> Attachments: YARN-3855.1.patch
>
>
> If all ACLs (admin acl, queue-admin-acls etc.) are setup properly and
> "http.authentication.type" is 'simple' in secure mode , user cannot view the
> application web page in default setup because the incoming user is always
> considered as "dr.who" . User also cannot pass "user.name" to indicate the
> incoming user name, because AuthenticationFilterInitializer is not enabled by
> default. This is inconvenient from user's perspective.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
