hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2310) Revisit the APIs in RM web services where user information can make difference
Date Mon, 18 Aug 2014 17:24:18 GMT

    [ https://issues.apache.org/jira/browse/YARN-2310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14100883#comment-14100883
] 

Zhijie Shen commented on YARN-2310:
-----------------------------------

Thanks for notifying me of that. Would you please check the other app-related getter methods?
For example, getAppAttempts. It seems that we can access without any access control.

> Revisit the APIs in RM web services where user information can make difference
> ------------------------------------------------------------------------------
>
>                 Key: YARN-2310
>                 URL: https://issues.apache.org/jira/browse/YARN-2310
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager, webapp
>    Affects Versions: 3.0.0, 2.5.0
>            Reporter: Zhijie Shen
>
> After YARN-2247, RM web services can be sheltered by the authentication filter, which
can help to identify who the user is. With this information, we should be able to fix the
security problem of some existing APIs, such as getApp, getAppAttempts, getApps. We should
use the user information to check the ACLs before returning the requested data to the user.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message