[jira] [Commented] (YARN-9920) YarnAuthorizationProvider AccessRequest gets Null RemoteAddress from FairScheduler

Fri, 08 Nov 2019 08:33:26 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-9920?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16970376#comment-16970376
 ] 

Wilfred Spiegelenburg commented on YARN-9920:
---------------------------------------------

I am not sure what you are after with this change. The {{getRemoteAddress()}} 
method for the {{AccessRequest}} is never called. Same for 
{{getForwardedAddresses()}}.
ACLs do not support limiting on IP either so passing the information through 
from a YARN perspective does not make sense and having nulls does not cause any 
issues. If this is to allow auditing or extending in the future then I can 
understand otherwise please explain.

The other problem I have is with the IPC server call that is done. When we get 
to the {{Server.getRemoteAddress()}} call which address are we getting back? 
The remote address is a thread local for the IPC server since we have multiple 
threads servicing IPC incoming requests how can we be sure that the scheduler 
when checking queue access for example gets the correct thread from the server 
pool?

Second issue is that the web services, like moving an app, uses the 
{{ClientRMService}} to eventually execute the move. The access check is 
performed inside the {{ClientRMService}} in which we call 
{{Server.getRemoteAddress()}}. There is no IPC request at all which probably 
means we get the local node IP back.

Based on just the quick look I think the info is highly suspect and it would be 
better to have a proper look at when and where we build the {{AccessRequest}} 
to make sure we get the proper information in all cases.
So a no go from my side.

> YarnAuthorizationProvider AccessRequest gets Null RemoteAddress from 
> FairScheduler
> ----------------------------------------------------------------------------------
>
>                 Key: YARN-9920
>                 URL: https://issues.apache.org/jira/browse/YARN-9920
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: fairscheduler, security
>    Affects Versions: 3.3.0
>            Reporter: Prabhu Joseph
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: YARN-9920-001.patch, YARN-9920-002.patch, 
> YARN-9920-003.patch
>
>
> YarnAuthorizationProvider AccessRequest has null RemoteAddress in case of 
> FairScheduler. FSQueue#hasAccess uses Server.getRemoteAddress() which will be 
> null when the call is from RMWebServices and EventDispatcher. It works fine 
> when called by IPC Server Handler.
> FSQueue#hasAccess is called at three places where (2) and (3) returns null.
> *1. IPC Server -> RMAppManager#createAndPopulateNewRMApp -> FSQueue#hasAccess 
> -> Server.getRemoteAddress returns correct Remote IP.*
>  
> *2. IPC Server -> RMAppManager#createAndPopulateNewRMApp -> 
> AppAddedSchedulerEvent*
>     *EventDispatcher -> FairScheduler#addApplication -> FSQueue.hasAccess -> 
> Server.getRemoteAddress returns null*
>   
> {code:java}
> org.apache.hadoop.yarn.security.ConfiguredYarnAuthorizer.checkPermission(ConfiguredYarnAuthorizer.java:101)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue.hasAccess(FSQueue.java:316)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler.addApplication(FairScheduler.java:509)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler.handle(FairScheduler.java:1268)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler.handle(FairScheduler.java:133)
>         at 
> org.apache.hadoop.yarn.event.EventDispatcher$EventProcessor.run(EventDispatcher.java:66)
> {code}
>  
> *3. RMWebServices -> QueueACLsManager#checkAccess -> FSQueue.hasAccess -> 
> Server.getRemoteAddress returns null.*
> {code:java}
> org.apache.hadoop.yarn.security.ConfiguredYarnAuthorizer.checkPermission(ConfiguredYarnAuthorizer.java:101)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FSQueue.hasAccess(FSQueue.java:316)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler.checkAccess(FairScheduler.java:1610)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager.checkAccess(QueueACLsManager.java:84)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebServices.hasAccess(RMWebServices.java:270)
>         at 
> org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebServices.getApps(RMWebServices.java:553)
> {code}
>  
> Have verified with CapacityScheduler and it works fine.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to