[jira] [Updated] (YARN-5554) MoveApplicationAcrossQueues does not check user permission on the target queue

Mon, 26 Sep 2016 04:19:28 -0700 

     [ 
https://issues.apache.org/jira/browse/YARN-5554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wilfred Spiegelenburg updated YARN-5554:
----------------------------------------
    Attachment: YARN-5554.4.patch

Sorry for the delayed response, I tried to add a new test which test just the 
getAccess call in the client but did not get it to work nicely. 

I have updated the patch with the check for an non existing queue including an 
extra test.

I did not move the check for a non existent queue into the {{ClientRMService}} 
because each scheduler checks the queue existence in its own way and we would 
have had to introduce a number of new dependencies into the client. I left it 
in {{QueueACLsManager}} which already has the CS as a dependency. It now also 
logs that the target queue does not exists.

For the check that [~jianhe] mentioned: we have an existing check for 
MODIFY_APP in the code. That check also takes into account the administrator 
access for the origin queue, covering the {{application_acl}} part. The new 
check added handles the first part {{submit_acl_on_target_queue || 
target_queue_adminAcl)}} Both need to pass to move the application.

> MoveApplicationAcrossQueues does not check user permission on the target queue
> ------------------------------------------------------------------------------
>
>                 Key: YARN-5554
>                 URL: https://issues.apache.org/jira/browse/YARN-5554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.7.2
>            Reporter: Haibo Chen
>            Assignee: Wilfred Spiegelenburg
>         Attachments: YARN-5554.2.patch, YARN-5554.3.patch, YARN-5554.4.patch
>
>
> moveApplicationAcrossQueues operation currently does not check user 
> permission on the target queue. This incorrectly allows one user to move 
> his/her own applications to a queue that the user has no access to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to