[ https://issues.apache.org/jira/browse/YARN-11066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479913#comment-17479913 ]
Tamas Domok commented on YARN-11066: ------------------------------------ Investigation: RMAppManager {code} private RMAppImpl createAndPopulateNewRMApp( .... if (!isRecovery && YarnConfiguration.isAclEnabled(conf)) { if (scheduler instanceof CapacityScheduler) { String queueName = placementContext == null ? submissionContext.getQueue() : placementContext.getFullQueuePath(); String appName = submissionContext.getApplicationName(); CSQueue csqueue = ((CapacityScheduler) scheduler).getQueue(queueName); if (csqueue == null && placementContext != null) { //could be an auto created queue through queue mapping. Validate // parent queue exists and has valid acls String parentQueueName = placementContext.getParentQueue(); csqueue = ((CapacityScheduler) scheduler).getQueue(parentQueueName); } if (csqueue != null && !authorizer.checkPermission( {code} !Screenshot 2022-01-21 at 10.00.32.png! The csqueue is null so no acl's will be checked. > Flexible AQC doesn't check the Queue ACLs when submitting apps > -------------------------------------------------------------- > > Key: YARN-11066 > URL: https://issues.apache.org/jira/browse/YARN-11066 > Project: Hadoop YARN > Issue Type: Bug > Components: capacityscheduler, yarn > Affects Versions: 3.4.0 > Reporter: Tamas Domok > Assignee: Tamas Domok > Priority: Critical > Attachments: Screenshot 2022-01-21 at 10.00.32.png, > capacity-scheduler.xml > > > Reproduction steps: > 1. Use the attached configuration: [^capacity-scheduler.xml] > 2. Enable *yarn.acl.enable* in yarn-site.xml. > 3. Try to submit an application with any user other than *user1, user2, > user3*. > {code} > yarn jar hadoop-mapreduce-examples-3.4.0-SNAPSHOT.jar pi 1 10 > {code} > The *first* app submission will succeed with *someuser:somegroup* the > *root.parent.somegroup.someuser* queue will be created. When the > *root.parent.somegroup* dynamic parent queue already exists then the ACLs in > *root.parent* will be checked and the *someuser* won't be able to submit an > another app. But queues are deleted automatically, so this is a serious > security issue. > This issue doesn't happen when dynamic parent queue is not created just a > dynamic leaf queue. > Another inconsistency is that the ACLs configured with templates works on > dynamic leaf queues, but not when there is a dynamic parent queue too. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org