You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Jiandan Yang (JIRA)" <ji...@apache.org> on 2019/01/23 11:22:00 UTC
[jira] [Created] (YARN-9225) ACL checking invalidates when setting
yarn.acl.enable=true
Jiandan Yang created YARN-9225:
-----------------------------------
Summary: ACL checking invalidates when setting yarn.acl.enable=true
Key: YARN-9225
URL: https://issues.apache.org/jira/browse/YARN-9225
Project: Hadoop YARN
Issue Type: Bug
Components: yarn
Reporter: Jiandan Yang
Assignee: Jiandan Yang
my configuration is:
yarn-site.xml: set scheduler is CapacityScheduler and enable acl
{code:java}
<property>
<name>yarn.acl.enable</name>
<value>true</value>
</property>
<property>
<name>yarn.admin.acl</name>
<value> </value>
</property>
<property>
<name>yarn.resourcemanager.scheduler.class</name>
<value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value>
</property>
{code}
capacity-scheduler.xml set submitAcl and adminAcl of test queue to yarn
{code:java}
<property>
<name>yarn.scheduler.capacity.root.queues</name>
<value>default,test</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.capacity</name>
<value>[memory=40960,vcores=100]</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.maximum-capacity</name>
<value>[memory=409600,vcores=480]</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
<value>yarn</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
<value>yarn</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.test.capacity</name>
<value>[memory=40960,vcores=100]</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.test.maximum-capacity</name>
<value>[memory=409600,vcores=480]</value>
</property>
<property>
<name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name>
<value>yarn</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.test.acl_administer_queue</name>
<value>yarn</value>
</property>
{code}
I submit MR job into test queue using username of yangjiandan successfully.
I check related code and found the root cause is ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent queue when acl checking of leaf queue fails, but acl of root queue is *ALL_ACL* in CapacitySchedulerConfiguration#getAcl, so acl checking can always pass.
{code:java}
private boolean checkPermissionInternal(AccessType accessType,
PrivilegedEntity target, UserGroupInformation user) {
boolean ret = false;
Map<AccessType, AccessControlList> acls = allAcls.get(target);
if (acls != null) {
AccessControlList list = acls.get(accessType);
if (list != null) {
ret = list.isUserAllowed(user);
}
}
// recursively look up the queue to see if parent queue has the permission.
if (target.getType() == EntityType.QUEUE && !ret) {
String queueName = target.getName();
if (!queueName.contains(".")) {
return ret;
}
String parentQueueName =
queueName.substring(0, queueName.lastIndexOf("."));
return checkPermissionInternal(accessType,
new PrivilegedEntity(target.getType(), parentQueueName), user);
}
return ret;
}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org