You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Wilfred Spiegelenburg (JIRA)" <ji...@apache.org> on 2016/12/02 16:29:58 UTC

[jira] [Commented] (YARN-5554) MoveApplicationAcrossQueues does not check user permission on the target queue

    [ https://issues.apache.org/jira/browse/YARN-5554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15715560#comment-15715560 ] 

Wilfred Spiegelenburg commented on YARN-5554:
---------------------------------------------

bq." doesn't have permissions submit to target queue: " is missing a "to" before the "submit."

fixed the typo

bq. In QueueACLsManager.checkAccess(), I don't see why you need to do the scheduler-dependent if. Can't you just call checkAccess() in all cases?

The capacity scheduler part is a copy of the checkAccess() that is already there. The change to not use the checkAccess() of the scheduler for the capacity scheduler was made as part of YARN-4571. Bringing the FairScheduler and the CapacityScheduler in sync is more work than we can just push into this jira. I think it is better to open a follow up jira to refactor this and bring the two schedulers in sync again. Let me know if you agree with that approach.

bq. In your tests, I would feel better if you tested that the app is in the right queue after the successful moves.

Because of the way the tests are mocked up the current tests can not do that. We create a ClientRMService which does not have a scheduler or an application manager. The test are focussed on the ACL managers and making sure that they stop the move in the service. We can extend the tests to do the app checks but that would introduce scheduler specific testing into the client service.

bq. Note that your use of a lambda in createClientRMServiceForMoveApplicationRequest() means this patch can only go into trunk.

oops did not think about that. I'll have rewritten the tests to remove the lambda. I now really appreciate the simplicity of using a lambda ;-)

> MoveApplicationAcrossQueues does not check user permission on the target queue
> ------------------------------------------------------------------------------
>
>                 Key: YARN-5554
>                 URL: https://issues.apache.org/jira/browse/YARN-5554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.7.2
>            Reporter: Haibo Chen
>            Assignee: Wilfred Spiegelenburg
>              Labels: oct16-medium
>         Attachments: YARN-5554.2.patch, YARN-5554.3.patch, YARN-5554.4.patch, YARN-5554.5.patch, YARN-5554.6.patch, YARN-5554.7.patch, YARN-5554.8.patch, YARN-5554.9.patch
>
>
> moveApplicationAcrossQueues operation currently does not check user permission on the target queue. This incorrectly allows one user to move his/her own applications to a queue that the user has no access to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org