Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-9225

user can submit applications even though they are not in the submit&admin acl

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: yarn
    • Labels:
      None

      Description

      I submit MR job even though username is not in the submit&admin acl.
      the admin&submit acl of test queue is yarn, and I submit app using username of yangjiandan which is not in the acl.

      I check related code and found the root cause is ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent queue when acl checking of leaf queue fails, but acl of root queue is ALL_ACL in CapacitySchedulerConfiguration#getAcl, so acl checking can always pass.

        private boolean checkPermissionInternal(AccessType accessType,
            PrivilegedEntity target, UserGroupInformation user) {
          boolean ret = false;
          Map<AccessType, AccessControlList> acls = allAcls.get(target);
          if (acls != null) {
            AccessControlList list = acls.get(accessType);
            if (list != null) {
              ret = list.isUserAllowed(user);
            }
          }
          // does it need to check parent queue?
          // recursively look up the queue to see if parent queue has the permission.
          if (target.getType() == EntityType.QUEUE && !ret) {
            String queueName = target.getName();
            if (!queueName.contains(".")) {
              return ret;
            }
            String parentQueueName =
                queueName.substring(0, queueName.lastIndexOf("."));
            return checkPermissionInternal(accessType,
                new PrivilegedEntity(target.getType(), parentQueueName), user);
          }
          return ret;
        }
      

      my configuration is:
      yarn-site.xml: set scheduler is CapacityScheduler and enable acl

      <property>
        <name>yarn.acl.enable</name>
        <value>true</value>
      </property>
      <property>
        <name>yarn.admin.acl</name>
        <value> </value>
      </property>
        <property>
          <name>yarn.resourcemanager.scheduler.class&lt;/name>
        <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value>
        </property>
      

      capacity-scheduler.xml set submitAcl and adminAcl of test queue to yarn

        <property>
          <name>yarn.scheduler.capacity.root.queues</name>
          <value>default,test</value>
        </property>
        <property>
          <name>yarn.scheduler.capacity.root.default.capacity</name>
          <value>[memory=40960,vcores=100]</value>
        </property>
        <property>
          <name>yarn.scheduler.capacity.root.default.maximum-capacity</name>
          <value>[memory=409600,vcores=480]</value>
        </property>
        <property>
          <name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
          <value>yarn</value>
        </property>
        <property>
          <name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
          <value>yarn</value>
        </property>
      
        <property>
          <name>yarn.scheduler.capacity.root.test.capacity</name>
          <value>[memory=40960,vcores=100]</value>
        </property>
        <property>
          <name>yarn.scheduler.capacity.root.test.maximum-capacity</name>
          <value>[memory=409600,vcores=480]</value>
        </property>
        <property>
          <name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name>
          <value>yarn</value>
        </property>
        <property>
          <name>yarn.scheduler.capacity.root.test.acl_administer_queue</name>
          <value>yarn</value>
        </property>
      

        Attachments

        1. YARN-9225.001.patch
          3 kB
          Jiandan Yang

          Activity

            People

            • Assignee:
              yangjiandan Jiandan Yang
              Reporter:
              yangjiandan Jiandan Yang
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: