You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Wilfred Spiegelenburg (JIRA)" <ji...@apache.org> on 2016/09/26 11:18:20 UTC
[jira] [Updated] (YARN-5554) MoveApplicationAcrossQueues does not
check user permission on the target queue
[ https://issues.apache.org/jira/browse/YARN-5554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wilfred Spiegelenburg updated YARN-5554:
----------------------------------------
Attachment: YARN-5554.4.patch
Sorry for the delayed response, I tried to add a new test which test just the getAccess call in the client but did not get it to work nicely.
I have updated the patch with the check for an non existing queue including an extra test.
I did not move the check for a non existent queue into the {{ClientRMService}} because each scheduler checks the queue existence in its own way and we would have had to introduce a number of new dependencies into the client. I left it in {{QueueACLsManager}} which already has the CS as a dependency. It now also logs that the target queue does not exists.
For the check that [~jianhe] mentioned: we have an existing check for MODIFY_APP in the code. That check also takes into account the administrator access for the origin queue, covering the {{application_acl}} part. The new check added handles the first part {{submit_acl_on_target_queue || target_queue_adminAcl)}} Both need to pass to move the application.
> MoveApplicationAcrossQueues does not check user permission on the target queue
> ------------------------------------------------------------------------------
>
> Key: YARN-5554
> URL: https://issues.apache.org/jira/browse/YARN-5554
> Project: Hadoop YARN
> Issue Type: Bug
> Components: resourcemanager
> Affects Versions: 2.7.2
> Reporter: Haibo Chen
> Assignee: Wilfred Spiegelenburg
> Attachments: YARN-5554.2.patch, YARN-5554.3.patch, YARN-5554.4.patch
>
>
> moveApplicationAcrossQueues operation currently does not check user permission on the target queue. This incorrectly allows one user to move his/her own applications to a queue that the user has no access to
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org