Hi Madhan, Just a follow up on this issue. I was thinking the easiest way to solve it is to follow your first suggestion to remove the implied grant. However, the problem is that this implied grant exists in Yarn itself. So if "alice" is granted the "administer queue" permission only, she can still submit applications.
I'm thinking now that we might be better off just to leave the existing logic, that "administer queue" implies "submit application". If a user is "denied" "administer queue", then this just overrides any "positive" "submit application" permission. WDYT? Colm. On Wed, Nov 8, 2017 at 8:18 PM, Don Bosco Durai <bo...@apache.org> wrote: > @madhan or @ramesh or @abhay are the right folks. > > Thanks > > Bosco > > > On 11/8/17, 4:52 AM, "Colm O hEigeartaigh" <cohei...@apache.org> wrote: > > Hi, > > A user logged an issue with Yarn that I finally got around to looking > at. > The proposed patch submitted by the user is here: > > https://reviews.apache.org/r/56094/ > > The problem is that a user "alice" can have the "submit-app" > permission, > but be denied the "admin-queue" permission. This should work in > theory, but > it doesn't. "admin-queue" implies "submit-app", but the Ranger policy > logic > seems to interpret this implication incorrectly, in that a "negative" > admin-queue policy overrides a "positive" submit-app policy. > > As the change is in the core policy logic I'd like an experienced > reviewer > to take a look. > > Colm. > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com