Siddharth Ahuja created YARN-10870:
--------------------------------------
Summary: Missing user filtering check ->
yarn.webapp.filter-entity-list-by-user for RM Scheduler page
Key: YARN-10870
URL: https://issues.apache.org/jira/browse/YARN-10870
Project: Hadoop YARN
Issue Type: Bug
Components: yarn
Reporter: Siddharth Ahuja
Non-permissible users are (incorrectly) able to view application submitted by
another user on the RM's Scheduler UI (not Applications UI), where
_non-permissible users_ are non-application-owners and are not present in the
application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as
a Queue admin to which this job was submitted to" (see [1] where both the
filter setting introduced by YARN-8319 & ACL checks are performed):
The issue can be reproduced easily by having the setting
{{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.
The above disallows non-permissible users from viewing another user's
applications in the Applications page, but not in the Scheduler's page.
The filter setting seems to be getting checked only on the getApps() call but
not while rendering the apps information on the Scheduler page. This seems to
be a "missed" feature from YARN-8319.
[1]
https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
