Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-11066

Flexible AQC doesn't check the Queue ACLs when submitting apps

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 3.4.0
    • None
    • capacityscheduler, yarn
    • None

    Description

      Reproduction steps:

      1. Use the attached configuration: capacity-scheduler.xml
      2. Enable yarn.acl.enable in yarn-site.xml.
      3. Try to submit an application with any user other than user1, user2, user3.

      yarn jar hadoop-mapreduce-examples-3.4.0-SNAPSHOT.jar pi 1 10

      The first app submission will succeed with someuser:somegroup the root.parent.somegroup.someuser queue will be created. When the root.parent.somegroup dynamic parent queue already exists then the ACLs in root.parent will be checked and the someuser won't be able to submit an another app. But queues are deleted automatically, so this is a serious security issue.

      This issue doesn't happen when dynamic parent queue is not created just a dynamic leaf queue.

      Another inconsistency is that the ACLs configured with templates works on dynamic leaf queues, but not when there is a dynamic parent queue too.

      Attachments

        1. capacity-scheduler.xml
          3 kB
          Tamas Domok
        2. Screenshot 2022-01-21 at 10.00.32.png
          157 kB
          Tamas Domok

        Issue Links

          is fixed by

          New Feature - A new feature of the product, which has yet to be developed. YARN-11069 Dynamic Queue ACL handling in Legacy and Flexible Auto Created Queues

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              tdomok Tamas Domok
              tdomok Tamas Domok
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: