[
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812282#comment-16812282
]
Gergely Pollak edited comment on YARN-9445 at 4/8/19 10:08 AM:
---------------------------------------------------------------
[~sunilg], [~snemeth], [~eyang], [~bibinchundatt] thank you for you feedback!
Let me fix the issues mentioned by Szilard and reported by the jenkins jobs,
also trying to find a more queue specific place for the modification.
However I agree with the opinion admin should have access to everything. We
shouldn't worry about the admin exploiting it's new submission permission,
because if someone with admin permission want's to exploit the system they can
do it anyway. We cannot protect the system from it's own administrators.
Also it's worth to mention in FairScheduler queue admins can already submit
applications, so this modifications just makes yarn.admin.acl a queue admin as
well. And I really think we should not have 2 kinds of admins. If a user is
granted administrative permissions on a queue level, it should be a queue admin
only, however a global admin should be queue admin as well, it follows nicely
the queue inherits it's parent's permission pattern.
And I strongly agree with [~eyang] on we should change the default value for
the yarn.admin.acl, because I think it easily can result in a really unsecure
cluster, but of course that's not the scope of this jira, and it might have a
large impact.
was (Author: shuzirra):
[~sunilg], [~snemeth], [~eyang], [~bibinchundatt] thank you for you feedback!
Let me fix the issues mentioned by Szilard and reported by the jenkins jobs,
also trying to find a more queue specific place for the modification.
However I agree with the opinion admin should have access to everything. We
shouldn't worry about the admin exploiting it's new submission permission,
because if someone with admin permission want's to exploit the system they can
do it anyway. We cannot protect the system from it's own administrators.
Also it's worth to mention in FairScheduler queue admins can already submit
applications, so this modifications just makes yarn.admin.acl a queue admin as
well. And I really think we should not have 2 kinds of admins. If a user is
granted administrative permissions on a queue level, it should be a queue admin
only, however a global admin should be queue admin as well, it follows nicely
the queue inherits it's parent's permission pattern.
And I strongly agree with [~eyang] on we should change the default value for
the yarn.admin.acl, because I think it eaily can result in a really unsecure
cluster, but of course that's not the scope of this jira, and it might have a
large impact.
> yarn.admin.acl is futile
> ------------------------
>
> Key: YARN-9445
> URL: https://issues.apache.org/jira/browse/YARN-9445
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.0
> Reporter: Peter Simon
> Assignee: Gergely Pollak
> Priority: Major
> Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
> * Set yarn.admin.acl to "*".
> * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can
> submit to whatever pool.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
