[jira] [Commented] (YARN-9445) yarn.admin.acl is futile

Sat, 06 Apr 2019 03:40:40 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16811550#comment-16811550
 ] 

Sunil Govindan commented on YARN-9445:
--------------------------------------

Hi [Gergely 
Pollak|applewebdata://CDA28838-9D89-410B-A83F-9AF88E344D7F/jira/secure/ViewProfile.jspa?name=shuzirra]

To me, this is not a clean fix.
{code:java}
if (isAdmin(user) && accessType == AccessType.ADMINISTER_QUEUE) {
   return true;
}{code}
 

Few reasons for same:
 # In YARN, we have different ACL managers. QueueACLsManager, AdminACLsManager, 
ApplicationACLsManager etc. Each of which will help to do certain defined ACL 
verification during app submission, read api's such as queue info, list apps 
etc. We need to use these effectively to cover all use cases.
 # I checked the caller of checkAccess, and some of the managers are checking 
the adminAcls separately. But for callers such as FS and CS, this check is not 
there.

I am taking an example, with 2 cases

a) yarn.admin.acls=yarn. and for e, 
<prefix>.queueA._acl_submit_applications=john._ Now user "john" can submit app 
to queueA. "yarn" user should not be able to submit.

b) yarn.admin.acls=*. and for e, 
<prefix>.queueA._acl_submit_applications=john._ Now user "john" can submit app 
to queueA. "smith" user should not be able to submit.

As per my understanding, admin acl's are added for YARN admin ops if I remember 
correctly. It was not clubbed with Queue ops as queue acl's were different. I 
am open to discuss on this whether we can improve or not, however i feel it may 
break some compatibility. Please correct me if I am wrong.

Looping few more folks who worked on this earlier [~leftnoteasy] 
[~rohithsharma] [~bibinchundatt] [~vinodkv]

> yarn.admin.acl is futile
> ------------------------
>
>                 Key: YARN-9445
>                 URL: https://issues.apache.org/jira/browse/YARN-9445
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.0
>            Reporter: Peter Simon
>            Assignee: Gergely Pollak
>            Priority: Major
>         Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
>  * Set yarn.admin.acl to "*".
>  * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can 
> submit to whatever pool.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to