hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilfred Spiegelenburg (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5554) MoveApplicationAcrossQueues does not check user permission on the target queue
Date Wed, 07 Dec 2016 04:35:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-5554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15727669#comment-15727669

Wilfred Spiegelenburg commented on YARN-5554:

The main point is that the {{ClientRMService}} does not have direct access to the Scheduler.
All access checks run through the {{QueueACLsManager}} or the {{ApplicationACLsManager}}.
Any change must thus go through that. In this case the new method was introduced because the
current method does not have the destination queue available. We need to check the destination
queue the originating queue is already checked earlier by calling the existing method. The
passed in application has not been moved yet and thus still has the original queue. Updating
the application is not possible because that would pre-empt the fact that the application
can and will be moved.

The target queue checks are performed because it comes out of the move request and has not
been checked at the time the access check is performed. To be able to distinguish between
an access denied and a queue that does not exist the log message was added if the queue returned
is empty. Without that check, and the log entries, at that point we would not be able to trace
back that difference.

I looked at folding the two methods into one to remove some code duplication but stopped with
that. The small but important differences between the two methods required a number of {{if
... else ...}} constructs which made the code really difficult to read and understand.

> MoveApplicationAcrossQueues does not check user permission on the target queue
> ------------------------------------------------------------------------------
>                 Key: YARN-5554
>                 URL: https://issues.apache.org/jira/browse/YARN-5554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.7.2
>            Reporter: Haibo Chen
>            Assignee: Wilfred Spiegelenburg
>              Labels: oct16-medium
>         Attachments: YARN-5554.10.patch, YARN-5554.11.patch, YARN-5554.2.patch, YARN-5554.3.patch,
YARN-5554.4.patch, YARN-5554.5.patch, YARN-5554.6.patch, YARN-5554.7.patch, YARN-5554.8.patch,
> moveApplicationAcrossQueues operation currently does not check user permission on the
target queue. This incorrectly allows one user to move his/her own applications to a queue
that the user has no access to

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message