You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Tamas Domok (Jira)" <ji...@apache.org> on 2022/01/20 13:10:00 UTC
[jira] [Created] (YARN-11066) Flexible AQC doesn't check the Queue ACLs when submitting apps
Tamas Domok created YARN-11066:
----------------------------------
Summary: Flexible AQC doesn't check the Queue ACLs when submitting apps
Key: YARN-11066
URL: https://issues.apache.org/jira/browse/YARN-11066
Project: Hadoop YARN
Issue Type: Bug
Components: capacityscheduler, yarn
Affects Versions: 3.4.0
Reporter: Tamas Domok
Assignee: Tamas Domok
Attachments: capacity-scheduler.xml
Reproduction steps:
1. Use the attached configuration: [^capacity-scheduler.xml]
2. Enable *yarn.acl.enable* in yarn-site.xml.
3. Try to submit an application with any user other than *user1, user2, user3*.
{code}
yarn jar hadoop-mapreduce-examples-3.4.0-SNAPSHOT.jar pi 1 10
{code}
The *first* app submission will succeed with *someuser:somegroup* the *root.parent.somegroup.someuser* queue will be created. When the *root.parent.somegroup* dynamic parent queue already exists then the ACLs in *root.parent* will be checked and the *someuser* won't be able to submit an another app. But queues are deleted automatically, so this is a serious security issue.
This issue doesn't happen when dynamic parent queue is not created just a dynamic leaf queue.
Another inconsistency is that the ACLs configured with templates works on dynamic leaf queues, but not when there is a dynamic parent queue too.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org