[ https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812282#comment-16812282 ]
Gergely Pollak commented on YARN-9445: -------------------------------------- [~sunilg], [~snemeth], [~eyang], [~bibinchundatt] thank you for you feedback! Let me fix the issues mentioned by Szilard and reported by the jenkins jobs, also trying to find a more queue specific place for the modification. However I agree with the opinion admin should have access to everything. We shouldn't worry about the admin exploiting it's new submission permission, because if someone with admin permission want's to exploit the system they can do it anyway. We cannot protect the system from it's own administrators. Also it's worth to mention in FairScheduler queue admins can already submit applications, so this modifications just makes yarn.admin.acl a queue admin as well. And I really think we should not have 2 kinds of admins. If a user is granted administrative permissions on a queue level, it should be a queue admin only, however a global admin should be queue admin as well, it follows nicely the queue inherits it's parent's permission pattern. And I strongly agree with [~eyang] on we should change the default value for the yarn.admin.acl, because I think it eaily can result in a really unsecure cluster, but of course that's not the scope of this jira, and it might have a large impact. > yarn.admin.acl is futile > ------------------------ > > Key: YARN-9445 > URL: https://issues.apache.org/jira/browse/YARN-9445 > Project: Hadoop YARN > Issue Type: Bug > Components: security > Affects Versions: 3.3.0 > Reporter: Peter Simon > Assignee: Gergely Pollak > Priority: Major > Attachments: YARN-9445.001.patch > > > * Define a queue with restrictive administerApps settings (e.g. yarn) > * Set yarn.admin.acl to "*". > * Try to submit an application with user yarn, it is denied. > This way my expected behaviour would be that while everyone is admin, I can > submit to whatever pool. > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org