Sevada Abraamyan created YARN-2911:
--------------------------------------
Summary: Issues with GetApplications request in secure cluster
Key: YARN-2911
URL: https://issues.apache.org/jira/browse/YARN-2911
Project: Hadoop YARN
Issue Type: Bug
Components: resourcemanager
Reporter: Sevada Abraamyan
Assignee: Sevada Abraamyan
Both problems arise from the fact that the RM stores the short username of the
app submitter.
1) When the {{GetApplicationsRequest}} contains a
{{ApplicationsRequestScope.OWN}} filter, i.e. it wants to filter out all apps
not owned by the user. The RM attempts to match the full username of the
GetApplications requester against the stored short username to determine if the
requester is the owner of the app. In a secure cluster this can fail as the two
are not always equivalent.
2) The {{GetApplicationsRequest}} can be used to filter the the set of app
returned to be only those which were submitted/owned by a set of users. Once
again there is a mismatch here between short/full usernames. Since the client
specifies the set of users, theoretically they can pass in a set of short
usernames which would makes this feature work in a secure cluster. However, it
is not expected that a client will have the correct
{{hadoop.security.auth_to_local}} configuration and therefore they can not
always be expected to get the correct short usernames.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
