You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@yunikorn.apache.org by "ted (Jira)" <ji...@apache.org> on 2022/05/25 09:02:00 UTC

[jira] [Commented] (YUNIKORN-1214) Yunikorn does not honor queue acls when adding tasks to existing application

    [ https://issues.apache.org/jira/browse/YUNIKORN-1214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541913#comment-17541913 ] 

ted commented on YUNIKORN-1214:
-------------------------------

Hi [~mitdesai],

I read the [doc|https://yunikorn.apache.org/docs/user_guide/usergroup_resolution/]. There is this paragraph
> Assumption: Yunikorn assumes that all pods belonging to an application are owned by the same user. We recommend that the user label is added to every pod of an app. This is to ensure that there is no discrepency.

So yunikorn should not currently check the user of each pod in the same app.

> Yunikorn does not honor queue acls when adding tasks to existing application
> ----------------------------------------------------------------------------
>
>                 Key: YUNIKORN-1214
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-1214
>             Project: Apache YuniKorn
>          Issue Type: Bug
>            Reporter: Mit Desai
>            Priority: Major
>
> Currently when a pod is submitted without an application id, yunikorn generates an application id using the namespace where the pod is submitted with this format. 'yunikorn-<namespace>-autogen'
> When another pod without an application id is submitted to the same namespace, there already exist an application with the name generated name. So the next one gets added as a task to the existing application. I see that the queue acls are also not taken into consideration when this happens and the new pod also becomes the part of the same queue as before.
> For Example:
> 1. Pod submitted to namespace 'a' with get an application id yunikorn-a-autogen and based on the acls, lets assume it lands in queue 'queue-a'
> 2. If another pod (which does not have an app id) is submitted in the same namespace 'a' by a test user who is not authorized to run apps in queue 'queue-a', it will be grouped with the the previous application and will start running in the same queue.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org