You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/07/25 23:09:00 UTC

[jira] [Created] (YARN-8583) Inconsistency in YARN status command

Eric Yang created YARN-8583:
-------------------------------

             Summary: Inconsistency in YARN status command
                 Key: YARN-8583
                 URL: https://issues.apache.org/jira/browse/YARN-8583
             Project: Hadoop YARN
          Issue Type: Improvement
            Reporter: Eric Yang


YARN app -status command can report base on application ID or application name with some usability limitation.  Application ID is globally unique, and it allows any user to query application status of any application.  Application name is not globally unique, and it will only work for querying user's own application.  This is somewhat restrictive for application administrator, but allowing other user to query any other user's application could consider a security hole as well.  There are two possible options to reduce the inconsistency:

Option 1.  Block other user from query application status.  This may improve security in some sense, but it is an incompatible change.  This is a simpler change by matching the owner of the application, and decide to report or not report.

Option 2.  Add --user parameter to allow administrator to query application name ran by other user.  This is a bigger change because application metadata is stored in user's own hdfs directory.  There are security restriction that need to be defined.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org