Jian He commented on YARN-3855:

I believe what you suggested is a general good practice to setup secure 
cluster. Btw, the patch did not enable/enforce any of this. People can config 
whatever they want for the http authentication regardless how the rest 
components are setup before this jira. The point of this jira is to prevent 
this scenario that user cannot view the applications in whatever way unless the 
daemon is restarted.

> If acl is enabled and http.authentication.type is simple, user cannot view 
> the app page in default setup
> --------------------------------------------------------------------------------------------------------
>                 Key: YARN-3855
>                 URL: https://issues.apache.org/jira/browse/YARN-3855
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Jian He
>            Assignee: Jian He
>         Attachments: YARN-3855.1.patch
> If all ACLs (admin acl, queue-admin-acls etc.) are setup properly and 
> "http.authentication.type" is 'simple' in secure mode , user cannot view the 
> application web page in default setup because the incoming user is always 
> considered as "dr.who" . User also cannot pass "user.name" to indicate the 
> incoming user name, because AuthenticationFilterInitializer is not enabled by 
> default. This is inconvenient from user's perspective. 

This message was sent by Atlassian JIRA

Reply via email to