[
https://issues.apache.org/jira/browse/YARN-8583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17802676#comment-17802676
]
Shilun Fan commented on YARN-8583:
----------------------------------
Bulk update: moved all 3.4.0 non-blocker issues, please move back if it is a
blocker. Retarget 3.5.0.
> Inconsistency in YARN status command
> ------------------------------------
>
> Key: YARN-8583
> URL: https://issues.apache.org/jira/browse/YARN-8583
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Eric Yang
> Priority: Major
>
> YARN app -status command can report base on application ID or application
> name with some usability limitation. Application ID is globally unique, and
> it allows any user to query application status of any application.
> Application name is not globally unique, and it will only work for querying
> user's own application. This is somewhat restrictive for application
> administrator, but allowing other user to query any other user's application
> could consider a security hole as well. There are two possible options to
> reduce the inconsistency:
> Option 1. Block other user from query application status. This may improve
> security in some sense, but it is an incompatible change. This is a simpler
> change by matching the owner of the application, and decide to report or not
> report.
> Option 2. Add --user parameter to allow administrator to query application
> name ran by other user. This is a bigger change because application metadata
> is stored in user's own hdfs directory. There are security restriction that
> need to be defined.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
