Major Description
Non-permissible users are (incorrectly) able to view application submitted by another user on the RM's Scheduler UI (not Applications UI), where non-permissible users are non-application-owners and are not present in the application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as a Queue admin to which this job was submitted to" (see [1] where both the filter setting introduced by YARN-8319 & ACL checks are performed):
The issue can be reproduced easily by having the setting yarn.webapp.filter-entity-list-by-user set to true in yarn-site.xml.
The above disallows non-permissible users from viewing another user's applications in the Applications page, but not in the Scheduler's page.
The filter setting seems to be getting checked only on the getApps() call but not while rendering the apps information on the Scheduler page. This seems to be a "missed" feature from YARN-8319.
Following pre-requisites are needed to reproduce the issue:
- Kerberized cluster,
- SPNEGO enabled for HDFS & YARN,
- Add test users - systest and user1 on all nodes.
- Add kerberos princs for the above users.
- Create HDFS user dirs for above users and chown them appropriately.
- Run a sample MR Sleep job and test.
Steps to reproduce the issue:
- kinit as "systest" user and run a sample MR sleep job from one of the nodes in the cluster:
yarn jar <path_to_hadoop-mapreduce-client-jobclient-tests.jar> sleep -m 1 -mt 3600000
- kinit as "user1" from Mac as an example (this assumes you've copied the /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for Spengo auth).
- Open the Applications page. user1 cannot view the job being run by systest. This is correct.
- Open the Scheduler page. user1 CAN view the job being run by systest. This is INCORRECT.
Attachments
Attachments
Issue Links
- is duplicated by
-
YARN-10345 HsWebServices containerlogs does not honor ACLs for completed jobs
-
- Resolved
-