You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Wilfred Spiegelenburg (JIRA)" <ji...@apache.org> on 2016/09/26 11:18:20 UTC

[jira] [Updated] (YARN-5554) MoveApplicationAcrossQueues does not check user permission on the target queue

     [ https://issues.apache.org/jira/browse/YARN-5554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wilfred Spiegelenburg updated YARN-5554:
----------------------------------------
    Attachment: YARN-5554.4.patch

Sorry for the delayed response, I tried to add a new test which test just the getAccess call in the client but did not get it to work nicely. 

I have updated the patch with the check for an non existing queue including an extra test.

I did not move the check for a non existent queue into the {{ClientRMService}} because each scheduler checks the queue existence in its own way and we would have had to introduce a number of new dependencies into the client. I left it in {{QueueACLsManager}} which already has the CS as a dependency. It now also logs that the target queue does not exists.

For the check that [~jianhe] mentioned: we have an existing check for MODIFY_APP in the code. That check also takes into account the administrator access for the origin queue, covering the {{application_acl}} part. The new check added handles the first part {{submit_acl_on_target_queue || target_queue_adminAcl)}} Both need to pass to move the application.

> MoveApplicationAcrossQueues does not check user permission on the target queue
> ------------------------------------------------------------------------------
>
>                 Key: YARN-5554
>                 URL: https://issues.apache.org/jira/browse/YARN-5554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.7.2
>            Reporter: Haibo Chen
>            Assignee: Wilfred Spiegelenburg
>         Attachments: YARN-5554.2.patch, YARN-5554.3.patch, YARN-5554.4.patch
>
>
> moveApplicationAcrossQueues operation currently does not check user permission on the target queue. This incorrectly allows one user to move his/her own applications to a queue that the user has no access to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org