Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Invalid
-
None
-
None
-
None
Description
I submit MR job even though username is not in the submit&admin acl.
the admin&submit acl of test queue is yarn, and I submit app using username of yangjiandan which is not in the acl.
I check related code and found the root cause is ConfiguredYarnAuthorizer#checkPermissionInternal, it will look through parent queue when acl checking of leaf queue fails, but acl of root queue is ALL_ACL in CapacitySchedulerConfiguration#getAcl, so acl checking can always pass.
private boolean checkPermissionInternal(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { boolean ret = false; Map<AccessType, AccessControlList> acls = allAcls.get(target); if (acls != null) { AccessControlList list = acls.get(accessType); if (list != null) { ret = list.isUserAllowed(user); } } // does it need to check parent queue? // recursively look up the queue to see if parent queue has the permission. if (target.getType() == EntityType.QUEUE && !ret) { String queueName = target.getName(); if (!queueName.contains(".")) { return ret; } String parentQueueName = queueName.substring(0, queueName.lastIndexOf(".")); return checkPermissionInternal(accessType, new PrivilegedEntity(target.getType(), parentQueueName), user); } return ret; }
my configuration is:
yarn-site.xml: set scheduler is CapacityScheduler and enable acl
<property> <name>yarn.acl.enable</name> <value>true</value> </property> <property> <name>yarn.admin.acl</name> <value> </value> </property> <property> <name>yarn.resourcemanager.scheduler.class</name> <value>org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler</value> </property>
capacity-scheduler.xml set submitAcl and adminAcl of test queue to yarn
<property>
<name>yarn.scheduler.capacity.root.queues</name>
<value>default,test</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.capacity</name>
<value>[memory=40960,vcores=100]</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.maximum-capacity</name>
<value>[memory=409600,vcores=480]</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.acl_submit_applications</name>
<value>yarn</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.default.acl_administer_queue</name>
<value>yarn</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.test.capacity</name>
<value>[memory=40960,vcores=100]</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.test.maximum-capacity</name>
<value>[memory=409600,vcores=480]</value>
</property>
<property>
<name>*yarn.scheduler.capacity.root.test.acl_submit_applications*</name>
<value>yarn</value>
</property>
<property>
<name>yarn.scheduler.capacity.root.test.acl_administer_queue</name>
<value>yarn</value>
</property>