[
https://issues.apache.org/jira/browse/YARN-11066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479913#comment-17479913
]
Tamas Domok commented on YARN-11066:
------------------------------------
Investigation:
RMAppManager
{code}
private RMAppImpl createAndPopulateNewRMApp(
....
if (!isRecovery && YarnConfiguration.isAclEnabled(conf)) {
if (scheduler instanceof CapacityScheduler) {
String queueName = placementContext == null ?
submissionContext.getQueue() : placementContext.getFullQueuePath();
String appName = submissionContext.getApplicationName();
CSQueue csqueue = ((CapacityScheduler) scheduler).getQueue(queueName);
if (csqueue == null && placementContext != null) {
//could be an auto created queue through queue mapping. Validate
// parent queue exists and has valid acls
String parentQueueName = placementContext.getParentQueue();
csqueue = ((CapacityScheduler) scheduler).getQueue(parentQueueName);
}
if (csqueue != null
&& !authorizer.checkPermission(
{code}
!Screenshot 2022-01-21 at 10.00.32.png!
The csqueue is null so no acl's will be checked.
> Flexible AQC doesn't check the Queue ACLs when submitting apps
> --------------------------------------------------------------
>
> Key: YARN-11066
> URL: https://issues.apache.org/jira/browse/YARN-11066
> Project: Hadoop YARN
> Issue Type: Bug
> Components: capacityscheduler, yarn
> Affects Versions: 3.4.0
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Critical
> Attachments: Screenshot 2022-01-21 at 10.00.32.png,
> capacity-scheduler.xml
>
>
> Reproduction steps:
> 1. Use the attached configuration: [^capacity-scheduler.xml]
> 2. Enable *yarn.acl.enable* in yarn-site.xml.
> 3. Try to submit an application with any user other than *user1, user2,
> user3*.
> {code}
> yarn jar hadoop-mapreduce-examples-3.4.0-SNAPSHOT.jar pi 1 10
> {code}
> The *first* app submission will succeed with *someuser:somegroup* the
> *root.parent.somegroup.someuser* queue will be created. When the
> *root.parent.somegroup* dynamic parent queue already exists then the ACLs in
> *root.parent* will be checked and the *someuser* won't be able to submit an
> another app. But queues are deleted automatically, so this is a serious
> security issue.
> This issue doesn't happen when dynamic parent queue is not created just a
> dynamic leaf queue.
> Another inconsistency is that the ACLs configured with templates works on
> dynamic leaf queues, but not when there is a dynamic parent queue too.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
