[ 
https://issues.apache.org/jira/browse/YARN-10870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Siddharth Ahuja updated YARN-10870:
-----------------------------------
    Description: 
Non-permissible users are (incorrectly) able to view application submitted by 
another user on the RM's Scheduler UI (not Applications UI), where 
_non-permissible users_ are non-application-owners and are not present in the 
application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as 
a Queue admin to which this job was submitted to" (see [1] where both the 
filter setting introduced by YARN-8319 & ACL checks are performed):

The issue can be reproduced easily by having the setting 
{{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.

The above disallows non-permissible users from viewing another user's 
applications in the Applications page, but not in the Scheduler's page.

The filter setting seems to be getting checked only on the getApps() call but 
not while rendering the apps information on the Scheduler page. This seems to 
be a "missed" feature from YARN-8319.

Following pre-requisites are needed to reproduce the issue:
* Kerberized cluster,
* SPNEGO enabled for HDFS & YARN,
* Add test users - systest and user1 on all nodes.
* Add kerberos princs for the above users.
* Create HDFS user dirs for above users and chown them appropriately.
* Run a sample MR Sleep job and test.

Steps to reproduce the issue:
* kinit as "systest" user and run a sample MR sleep job from one of the nodes 
in the cluster:

{code}
yarn jar 
/opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-client-jobclient-tests.jar
 sleep -m 1 -mt 3600000
{code}

* kinit as "user1" from Mac as an example (this assumes you've copied the 
/etc/krb5.conf from the cluster to your Mac's /private/etc folder already for 
Spengo auth).

* Open the Applications page. user1 cannot view the job being run by systest. 
This is correct.

* Open the Scheduler page. user1 *CAN* view the job being run by systest. This 
is INCORRECT.

[1] 
https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676

  was:
Non-permissible users are (incorrectly) able to view application submitted by 
another user on the RM's Scheduler UI (not Applications UI), where 
_non-permissible users_ are non-application-owners and are not present in the 
application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as 
a Queue admin to which this job was submitted to" (see [1] where both the 
filter setting introduced by YARN-8319 & ACL checks are performed):

The issue can be reproduced easily by having the setting 
{{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.

The above disallows non-permissible users from viewing another user's 
applications in the Applications page, but not in the Scheduler's page.

The filter setting seems to be getting checked only on the getApps() call but 
not while rendering the apps information on the Scheduler page. This seems to 
be a "missed" feature from YARN-8319.

Following pre-requisites are needed to reproduce the issue:
* Kerberized cluster,
* SPNEGO enabled for HDFS & YARN,
* Add test users - systest and user1 on all nodes.
* Add kerberos princs for the above users.
* Create HDFS user dirs for above users and chown them appropriately.
* Run a sample MR Sleep job and test.

Steps to reproduce the issue:
* kinit as "systest" user and run a sample MR sleep job from one of the nodes 
in the cluster:

{code}
yarn jar 
/opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-client-jobclient-tests.jar
 sleep -m 1 -mt 3600000
{code}

* kinit as "user1" from Mac as an example (this assumes you've copied the 
/etc/krb5.conf from the cluster to your Mac's /private/etc folder already for 
Spengo auth).

* Open the Applications page. user1 cannot view the job being run by systest. 
This is correct.

4. Open the Scheduler page. user1 *CAN* view the job being run by systest. This 
is INCORRECT.

[1] 
https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676


> Missing user filtering check -> yarn.webapp.filter-entity-list-by-user for RM 
> Scheduler page
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-10870
>                 URL: https://issues.apache.org/jira/browse/YARN-10870
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>            Reporter: Siddharth Ahuja
>            Assignee: Gergely Pollák
>            Priority: Major
>
> Non-permissible users are (incorrectly) able to view application submitted by 
> another user on the RM's Scheduler UI (not Applications UI), where 
> _non-permissible users_ are non-application-owners and are not present in the 
> application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL 
> as a Queue admin to which this job was submitted to" (see [1] where both the 
> filter setting introduced by YARN-8319 & ACL checks are performed):
> The issue can be reproduced easily by having the setting 
> {{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.
> The above disallows non-permissible users from viewing another user's 
> applications in the Applications page, but not in the Scheduler's page.
> The filter setting seems to be getting checked only on the getApps() call but 
> not while rendering the apps information on the Scheduler page. This seems to 
> be a "missed" feature from YARN-8319.
> Following pre-requisites are needed to reproduce the issue:
> * Kerberized cluster,
> * SPNEGO enabled for HDFS & YARN,
> * Add test users - systest and user1 on all nodes.
> * Add kerberos princs for the above users.
> * Create HDFS user dirs for above users and chown them appropriately.
> * Run a sample MR Sleep job and test.
> Steps to reproduce the issue:
> * kinit as "systest" user and run a sample MR sleep job from one of the nodes 
> in the cluster:
> {code}
> yarn jar 
> /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-client-jobclient-tests.jar
>  sleep -m 1 -mt 3600000
> {code}
> * kinit as "user1" from Mac as an example (this assumes you've copied the 
> /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for 
> Spengo auth).
> * Open the Applications page. user1 cannot view the job being run by systest. 
> This is correct.
> * Open the Scheduler page. user1 *CAN* view the job being run by systest. 
> This is INCORRECT.
> [1] 
> https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to