hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilfred Spiegelenburg (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5554) MoveApplicationAcrossQueues does not check user permission on the target queue
Date Fri, 06 Jan 2017 05:56:58 GMT

    [ https://issues.apache.org/jira/browse/YARN-5554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15803665#comment-15803665
] 

Wilfred Spiegelenburg commented on YARN-5554:
---------------------------------------------

bq. In testMoveApplicationSubmitTargetQueue() and testMoveApplicationAdminTargetQueue(), would
it make sense to test that the moves that are supposed to work do actually work?

The application object itself is hidden and mocked up as an object. The testing from this
side is purely for the ACL checks and enforcement. The application object that would be changed
is not reachable from the {{ClientRMService}} at all. It would require a lot of changes that
test underlying the underlying code base more than the client service.
Now that I think about it: we might even be able to make this far simpler if we move things
around. Now that we have the move in the {{RMAppManager}} we could even think about moving
all these ACL checks etc into the pre-validate check, or a security check, that is performed
in the app manager. It does make more sense to have it there.

bq. Why a ConcurrentHashMap in createClientRMServiceForMoveApplicationRequest() instead of
Collections.singletonMap()?
I used that because the {{thenReturn}} expects a {{ConcurrentHashMap}}. The {{apps}} variable
must be declared like it is. To use th singletonMap I then have to cast in the code which
does not make it any more readable or maintainable. The code that works would look like this:
{code}
    ConcurrentHashMap<ApplicationId, RMApp> apps = (ConcurrentHashMap) Collections.singletonMap(applicationId,
app);
    when(rmContext.getRMApps()).thenReturn(apps);
{code}
That does not look any nicer than what we now have does it?

> MoveApplicationAcrossQueues does not check user permission on the target queue
> ------------------------------------------------------------------------------
>
>                 Key: YARN-5554
>                 URL: https://issues.apache.org/jira/browse/YARN-5554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>    Affects Versions: 2.7.2
>            Reporter: Haibo Chen
>            Assignee: Wilfred Spiegelenburg
>              Labels: oct16-medium
>         Attachments: YARN-5554.10.patch, YARN-5554.11.patch, YARN-5554.12.patch, YARN-5554.13.patch,
YARN-5554.14.patch, YARN-5554.2.patch, YARN-5554.3.patch, YARN-5554.4.patch, YARN-5554.5.patch,
YARN-5554.6.patch, YARN-5554.7.patch, YARN-5554.8.patch, YARN-5554.9.patch
>
>
> moveApplicationAcrossQueues operation currently does not check user permission on the
target queue. This incorrectly allows one user to move his/her own applications to a queue
that the user has no access to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message