Prabhu Joseph created YARN-10345: ------------------------------------ Summary: HsWebServices containerlogs does not honor ACLs for completed jobs Key: YARN-10345 URL: https://issues.apache.org/jira/browse/YARN-10345 Project: Hadoop YARN Issue Type: Bug Components: yarn Affects Versions: 3.2.0, 3.4.0 Reporter: Prabhu Joseph Assignee: Prabhu Joseph Attachments: Screen Shot 2020-07-08 at 12.54.21 PM.png
HsWebServices containerlogs does not honor ACLs. User who does not have permission to view a job is allowed to view the job logs from YARN UI2 through HsWebServices. *Repro:* Secure cluster + yarn.admin.acl=yarn,mapred + Root Queue ACLs set to " " + HistoryServer runs as mapred 1. Run a sample MR job using systest user 2. Once the job is complete, access the job logs using hue user from YARN UI2. YARN CLI works fine. {code} [hue@pjoseph-cm-2 /]$ [hue@pjoseph-cm-2 /]$ yarn logs -applicationId application_1594188841761_0002 WARNING: YARN_OPTS has been replaced by HADOOP_OPTS. Using value of YARN_OPTS. 20/07/08 07:23:08 INFO client.RMProxy: Connecting to ResourceManager at rmhostname:8032 Permission denied: user=hue, access=EXECUTE, inode="/tmp/logs/systest":systest:hadoop:drwxrwx--- at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:496) {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org