[
https://issues.apache.org/jira/browse/YARN-9445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16812622#comment-16812622
]
Eric Yang commented on YARN-9445:
---------------------------------
[~snemeth] {quote}do you agree to file another jira to reduce the broad admin
permissions and use something other than "*" as a default? {quote}
It would help to fix the wildcard default in this issue for tracking purpose.
We must make sure that the proposed admin job submission patch in this issue
doesn't open security hole to allow anonymous user to submit jobs then require
another patch to close down wildcard users security hole. If someone back port
admin job submission patch to other branch, we don't miss the potential
security hole of wildard admin. At minimum, we can default to no admin instead
of current yarn user as admin by blank out yarn.admin.acl in this issue.
> yarn.admin.acl is futile
> ------------------------
>
> Key: YARN-9445
> URL: https://issues.apache.org/jira/browse/YARN-9445
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.0
> Reporter: Peter Simon
> Assignee: Gergely Pollak
> Priority: Major
> Attachments: YARN-9445.001.patch
>
>
> * Define a queue with restrictive administerApps settings (e.g. yarn)
> * Set yarn.admin.acl to "*".
> * Try to submit an application with user yarn, it is denied.
> This way my expected behaviour would be that while everyone is admin, I can
> submit to whatever pool.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
