You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Siddharth Ahuja (Jira)" <ji...@apache.org> on 2021/07/22 03:17:00 UTC

[jira] [Updated] (YARN-10870) Missing user filtering check -> yarn.webapp.filter-entity-list-by-user for RM Scheduler page

     [ https://issues.apache.org/jira/browse/YARN-10870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Siddharth Ahuja updated YARN-10870:
-----------------------------------
    Description: 
Non-permissible users are (incorrectly) able to view application submitted by another user on the RM's Scheduler UI (not Applications UI), where _non-permissible users_ are non-application-owners and are not present in the application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as a Queue admin to which this job was submitted to" (see [1] where both the filter setting introduced by YARN-8319 & ACL checks are performed):

The issue can be reproduced easily by having the setting {{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.

The above disallows non-permissible users from viewing another user's applications in the Applications page, but not in the Scheduler's page.

The filter setting seems to be getting checked only on the getApps() call but not while rendering the apps information on the Scheduler page. This seems to be a "missed" feature from YARN-8319.

Following pre-requisites are needed to reproduce the issue:
* Kerberized cluster,
* SPNEGO enabled for HDFS & YARN,
* Add test users - systest and user1 on all nodes.
* Add kerberos princs for the above users.
* Create HDFS user dirs for above users and chown them appropriately.
* Run a sample MR Sleep job and test.

Steps to reproduce the issue:
* kinit as "systest" user and run a sample MR sleep job from one of the nodes in the cluster:

{code}
yarn jar /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-client-jobclient-tests.jar sleep -m 1 -mt 3600000
{code}

* kinit as "user1" from Mac as an example (this assumes you've copied the /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for Spengo auth).

* Open the Applications page. user1 cannot view the job being run by systest. This is correct.

* Open the Scheduler page. user1 *CAN* view the job being run by systest. This is INCORRECT.

[1] https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676

  was:
Non-permissible users are (incorrectly) able to view application submitted by another user on the RM's Scheduler UI (not Applications UI), where _non-permissible users_ are non-application-owners and are not present in the application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as a Queue admin to which this job was submitted to" (see [1] where both the filter setting introduced by YARN-8319 & ACL checks are performed):

The issue can be reproduced easily by having the setting {{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.

The above disallows non-permissible users from viewing another user's applications in the Applications page, but not in the Scheduler's page.

The filter setting seems to be getting checked only on the getApps() call but not while rendering the apps information on the Scheduler page. This seems to be a "missed" feature from YARN-8319.

Following pre-requisites are needed to reproduce the issue:
* Kerberized cluster,
* SPNEGO enabled for HDFS & YARN,
* Add test users - systest and user1 on all nodes.
* Add kerberos princs for the above users.
* Create HDFS user dirs for above users and chown them appropriately.
* Run a sample MR Sleep job and test.

Steps to reproduce the issue:
* kinit as "systest" user and run a sample MR sleep job from one of the nodes in the cluster:

{code}
yarn jar /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-client-jobclient-tests.jar sleep -m 1 -mt 3600000
{code}

* kinit as "user1" from Mac as an example (this assumes you've copied the /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for Spengo auth).

* Open the Applications page. user1 cannot view the job being run by systest. This is correct.

4. Open the Scheduler page. user1 *CAN* view the job being run by systest. This is INCORRECT.

[1] https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676


> Missing user filtering check -> yarn.webapp.filter-entity-list-by-user for RM Scheduler page
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-10870
>                 URL: https://issues.apache.org/jira/browse/YARN-10870
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn
>            Reporter: Siddharth Ahuja
>            Assignee: Gergely Pollák
>            Priority: Major
>
> Non-permissible users are (incorrectly) able to view application submitted by another user on the RM's Scheduler UI (not Applications UI), where _non-permissible users_ are non-application-owners and are not present in the application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as a Queue admin to which this job was submitted to" (see [1] where both the filter setting introduced by YARN-8319 & ACL checks are performed):
> The issue can be reproduced easily by having the setting {{yarn.webapp.filter-entity-list-by-user}} set to true in yarn-site.xml.
> The above disallows non-permissible users from viewing another user's applications in the Applications page, but not in the Scheduler's page.
> The filter setting seems to be getting checked only on the getApps() call but not while rendering the apps information on the Scheduler page. This seems to be a "missed" feature from YARN-8319.
> Following pre-requisites are needed to reproduce the issue:
> * Kerberized cluster,
> * SPNEGO enabled for HDFS & YARN,
> * Add test users - systest and user1 on all nodes.
> * Add kerberos princs for the above users.
> * Create HDFS user dirs for above users and chown them appropriately.
> * Run a sample MR Sleep job and test.
> Steps to reproduce the issue:
> * kinit as "systest" user and run a sample MR sleep job from one of the nodes in the cluster:
> {code}
> yarn jar /opt/cloudera/parcels/CDH/lib/hadoop-mapreduce/hadoop-mapreduce-client-jobclient-tests.jar sleep -m 1 -mt 3600000
> {code}
> * kinit as "user1" from Mac as an example (this assumes you've copied the /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for Spengo auth).
> * Open the Applications page. user1 cannot view the job being run by systest. This is correct.
> * Open the Scheduler page. user1 *CAN* view the job being run by systest. This is INCORRECT.
> [1] https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org