hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1269) QueueACLs doesn't work as root allows *
Date Thu, 03 Oct 2013 19:14:41 GMT

    [ https://issues.apache.org/jira/browse/YARN-1269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13785452#comment-13785452
] 

Zhijie Shen commented on YARN-1269:
-----------------------------------

We need to configure root not to accept *. However, the following case will have some problem.

{code}
    <property>
        <name>yarn.scheduler.capacity.root.queue1.acl_submit_applications</name>
        <value>user1</value>
        <description>
            The ACL of who can submit jobs to the default queue.
        </description>
    </property>
    <property>
        <name>yarn.scheduler.capacity.root.queue2.acl_submit_applications</name>
        <value>user2</value>
        <description>
            The ACL of who can submit jobs to the default queue.
        </description>
    </property>
{code}

If we have the two queues, we definitely don't want to set the users of the root to be the
union of the users of both queues. Otherwise, user1 and user2 have the the access to both
queues.

Maybe we should not check the parent queue access if the parent queue is root?

> QueueACLs doesn't work as root allows *
> ---------------------------------------
>
>                 Key: YARN-1269
>                 URL: https://issues.apache.org/jira/browse/YARN-1269
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>
> Even if we specify acl for default queue, say user1, user2 can still submit and kill
applications on default queue, because the queue checked user2 don't have the access to it,
it then checked whether user2 has the access to it's parent recursively, and finally it found
user2 have the access to root.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message