Like I mentioned above - embedding the RM/ATS ui in a frame but blocking the NM ui is a pretty reasonable scenario.
Agree. I think we can achieve this by set RM/ATS's option to SAMEORIGIN but keep NM as DENY. Isn't it?
Adding a YARN level config which can then be overridden by a RM level config down the line will make things more confusing.
There is no overridden here. A YARN level configuration is just to enable/disable XFS protection feature. The sub options to address different daemons' requirement if XFS protection is enabled. Do I miss any cases here?
It's the other way round that's the problem in my opinion - with one config parameter - you force the users to open all web ui's or no web ui's.
Not really. The one config parameter here is just to mark YARN web ui are open or restricted (in different levels/options). Is there really a case we want some YARN web ui pure open to frame when other is protected? Instead, adding configurable ALLOW-FROM make more sense to me.