You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Jiandan Yang (JIRA)" <ji...@apache.org> on 2019/01/24 01:50:00 UTC
[jira] [Updated] (YARN-9225) user can submit application even
though they are not in the submit&admin acl
[ https://issues.apache.org/jira/browse/YARN-9225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiandan Yang updated YARN-9225:
--------------------------------
Summary: user can submit application even though they are not in the submit&admin acl (was: ACL checking fails when setting yarn.acl.enable=true)
> user can submit application even though they are not in the submit&admin acl
> ----------------------------------------------------------------------------
>
> Key: YARN-9225
> URL: https://issues.apache.org/jira/browse/YARN-9225
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn
> Reporter: Jiandan Yang
> Assignee: Jiandan Yang
> Priority: Major
> Attachments: YARN-9225.001.patch
>
>
> my configuration is:
> yarn-site.xml: set scheduler is CapacityScheduler and enable acl
> {code:java}
> <property>
> <name>yarn.acl.enable</name>
> <value>true</value>
> </property>
> <property>
> <name>yarn.admin.acl</name>
> <value> </value>
> </property>
> <property>
> <name>yarn.resourcemanager.scheduler.class</name>
> <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value>
> </property>
> {code}
> capacity-scheduler.xml set submitAcl and adminAcl of test queue to yarn
> {code:java}
> <property>
> <name>yarn.scheduler.capacity.root.queues</name>
> <value>default,test</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.capacity</name>
> <value>[memory=40960,vcores=100]</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.maximum-capacity</name>
> <value>[memory=409600,vcores=480]</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
> <value>yarn</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
> <value>yarn</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.test.capacity</name>
> <value>[memory=40960,vcores=100]</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.test.maximum-capacity</name>
> <value>[memory=409600,vcores=480]</value>
> </property>
> <property>
> <name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name>
> <value>yarn</value>
> </property>
> <property>
> <name>yarn.scheduler.capacity.root.test.acl_administer_queue</name>
> <value>yarn</value>
> </property>
> {code}
> I submit MR job into test queue using username of yangjiandan successfully.
> I check related code and found the root cause is ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent queue when acl checking of leaf queue fails, but acl of root queue is *ALL_ACL* in CapacitySchedulerConfiguration#getAcl, so acl checking can always pass.
> {code:java}
> private boolean checkPermissionInternal(AccessType accessType,
> PrivilegedEntity target, UserGroupInformation user) {
> boolean ret = false;
> Map<AccessType, AccessControlList> acls = allAcls.get(target);
> if (acls != null) {
> AccessControlList list = acls.get(accessType);
> if (list != null) {
> ret = list.isUserAllowed(user);
> }
> }
> // recursively look up the queue to see if parent queue has the permission.
> if (target.getType() == EntityType.QUEUE && !ret) {
> String queueName = target.getName();
> if (!queueName.contains(".")) {
> return ret;
> }
> String parentQueueName =
> queueName.substring(0, queueName.lastIndexOf("."));
> return checkPermissionInternal(accessType,
> new PrivilegedEntity(target.getType(), parentQueueName), user);
> }
> return ret;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org