Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-10025 Various improvements in YARN log servlets
  3. YARN-10345

HsWebServices containerlogs does not honor ACLs for completed jobs

Add voteVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 3.3.0, 3.2.2, 3.4.0
    • None
    • yarn
    • None

    Description

      HsWebServices containerlogs does not honor ACLs. User who does not have permission to view a job is allowed to view the job logs for completed jobs from YARN UI2 through HsWebServices.

      Repro:

      Secure cluster + yarn.admin.acl=yarn,mapred + Root Queue ACLs set to " " + HistoryServer runs as mapred

      1. Run a sample MR job using systest user
      2.  Once the job is complete, access the job logs using hue user from YARN UI2.

       

      YARN CLI works fine and does not allow hue user to view systest user job logs.

      [hue@pjoseph-cm-2 /]$ 
      [hue@pjoseph-cm-2 /]$ yarn logs -applicationId application_1594188841761_0002
      WARNING: YARN_OPTS has been replaced by HADOOP_OPTS. Using value of YARN_OPTS.
      20/07/08 07:23:08 INFO client.RMProxy: Connecting to ResourceManager at rmhostname:8032
      Permission denied: user=hue, access=EXECUTE, inode="/tmp/logs/systest":systest:hadoop:drwxrwx---
      	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:496)
      

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            prabhujoseph Prabhu Joseph
            prabhujoseph Prabhu Joseph

            Dates

              Created:
              Updated:

              Slack

                Issue deployment