You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Rohith (JIRA)" <ji...@apache.org> on 2014/11/25 18:07:13 UTC

[jira] [Commented] (YARN-2894) When ACL's are enabled, if RM switches then application can not be viewed from web.

    [ https://issues.apache.org/jira/browse/YARN-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14224844#comment-14224844 ] 

Rohith commented on YARN-2894:
------------------------------

Consider scenario in following 
1. Yarn RM HA cluster is started with enabling ACL's. RM is in Active state.
2. Submit yarn application(app1), access this application from RM web ui.User is able to view the app1
3. Do transition ACTIVE --> STANDBY --> ACTIVE.
4. Submit another yarn application(app2). Try to access app2 link from RM web UI. It can not be viewed and throw NPE at RM log.

> When ACL's are enabled, if RM switches then application can not be viewed from web.
> -----------------------------------------------------------------------------------
>
>                 Key: YARN-2894
>                 URL: https://issues.apache.org/jira/browse/YARN-2894
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.6.0
>            Reporter: Rohith
>            Assignee: Rohith
>             Fix For: 2.7.0
>
>
> Binding aclManager to RMWebApp would cause problem if RM is switched. There could be some validation check may fail.
> I think , we should not bind aclManager for RMWebApp, instead we should get from RM instance.
> In RMWebApp,
> {code}
>     if (rm != null) {
>       bind(ResourceManager.class).toInstance(rm);
>       bind(RMContext.class).toInstance(rm.getRMContext());
>       bind(ApplicationACLsManager.class).toInstance(
>           rm.getApplicationACLsManager());
>       bind(QueueACLsManager.class).toInstance(rm.getQueueACLsManager());
>     }
> {code}
> and in AppBlock#render below check may fail(Need to test and confirm)
> {code}
>    if (callerUGI != null
>         && !(this.aclsManager.checkAccess(callerUGI,
>                 ApplicationAccessType.VIEW_APP, app.getUser(), appID) ||
>              this.queueACLsManager.checkAccess(callerUGI,
>                 QueueACL.ADMINISTER_QUEUE, app.getQueue()))) {
>       puts("You (User " + remoteUser
>           + ") are not authorized to view application " + appID);
>       return;
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)