[
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811062#comment-16811062
]
Eric Yang commented on YARN-9445:
---------------------------------
[~shuzirra] Thank you for the patch. From code logic point of view, [~snemeth]
already covered the review. From security point of view, it would be good to
change yarn-default.xml yarn.admin.acl from * to current running user for yarn.
With default configuration, the cluster is not exposed as wide opened with the
behavior change in this patch.
Maybe yarn.admin.acl set to empty can be imply the current running user is the
admin. This may help to prevent bot from taking control of the cluster before
admin secure the cluster properly.
> yarn.admin.acl is futile
> ------------------------
>
> Key: YARN-9445
> URL: https://issues.apache.org/jira/browse/YARN-9445
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.0
> Reporter: Peter Simon
> Assignee: Gergely Pollak
> Priority: Major
> Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
> * Set yarn.admin.acl to "*".
> * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can
> submit to whatever pool.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
