Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Invalid
-
2.5.0, 2.4.1
-
None
-
None
Description
A user without ADMINISTER_QUEUE privilege can kill application from all queues.
to replicate the bug:
1) install cluster with yarn.resourcemanager.scheduler.class set to org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler
2) created 2 users (user1, user2) each belong to a separate group (group1, group2)
3) set acl_submit_applications and acl_administer_queue of the root and root.default queues to group1
4) submit job to default queue by user1
[user1@htc2n3 ~]$ mapred queue -showacls
...
Queue acls for user : user1Queue Operations
=====================
root ADMINISTER_QUEUE,SUBMIT_APPLICATIONS
default ADMINISTER_QUEUE,SUBMIT_APPLICATIONS[user1@htc2n3 ~]$ yarn jar /opt/apache/hadoop-2.5.0/share/hadoop/mapreduce/hadoop-mapreduce-examples-2.4.1.jar pi -Dmapreduce.job.queuename=default 4 1000000000
5) kill the application by user2
[user2@htc2n4 ~]$ mapred queue -showacls
...
Queue acls for user : user2Queue Operations
=====================
root
default[user2@htc2n4 ~]$ yarn application -kill application_1408540602935_0004
...
Killing application application_1408540602935_0004
14/08/21 14:37:54 INFO impl.YarnClientImpl: Killed application application_1408540602935_0004