Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-10870

Missing user filtering check -> yarn.webapp.filter-entity-list-by-user for RM Scheduler page

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.4.0, 3.3.2, 3.2.4
    • yarn
    • None
    • Reviewed

    Description

      Non-permissible users are (incorrectly) able to view application submitted by another user on the RM's Scheduler UI (not Applications UI), where non-permissible users are non-application-owners and are not present in the application ACL -> mapreduce.job.acl-view-job, nor present in the Queue ACL as a Queue admin to which this job was submitted to" (see [1] where both the filter setting introduced by YARN-8319 & ACL checks are performed):

      The issue can be reproduced easily by having the setting yarn.webapp.filter-entity-list-by-user set to true in yarn-site.xml.

      The above disallows non-permissible users from viewing another user's applications in the Applications page, but not in the Scheduler's page.

      The filter setting seems to be getting checked only on the getApps() call but not while rendering the apps information on the Scheduler page. This seems to be a "missed" feature from YARN-8319.

      Following pre-requisites are needed to reproduce the issue:

      • Kerberized cluster,
      • SPNEGO enabled for HDFS & YARN,
      • Add test users - systest and user1 on all nodes.
      • Add kerberos princs for the above users.
      • Create HDFS user dirs for above users and chown them appropriately.
      • Run a sample MR Sleep job and test.

      Steps to reproduce the issue:

      • kinit as "systest" user and run a sample MR sleep job from one of the nodes in the cluster:
      yarn jar <path_to_hadoop-mapreduce-client-jobclient-tests.jar> sleep -m 1 -mt 3600000
      
      • kinit as "user1" from Mac as an example (this assumes you've copied the /etc/krb5.conf from the cluster to your Mac's /private/etc folder already for Spengo auth).
      • Open the Applications page. user1 cannot view the job being run by systest. This is correct.
      • Open the Scheduler page. user1 CAN view the job being run by systest. This is INCORRECT.

      [1] https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L676

      Attachments

        1. YARN-10870.001.patch
          5 kB
          Gergely Pollák
        2. YARN-10870.002.patch
          5 kB
          Gergely Pollák
        3. YARN-10870.branch-3.1.002.patch
          5 kB
          Gergely Pollák
        4. YARN-10870.branch-3.2.002.patch
          5 kB
          Gergely Pollák
        5. YARN-10870.branch-3.3.002.patch
          5 kB
          Gergely Pollák

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            shuzirra Gergely Pollák
            sahuja Siddharth Ahuja
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment