Details
-
Sub-task
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
3.3.0, 3.2.2, 3.4.0
-
Reviewed
Description
HsWebServices containerlogs does not honor ACLs. User who does not have permission to view a job is allowed to view the job logs for completed jobs from YARN UI2 through HsWebServices.
Repro:
Secure cluster + yarn.admin.acl=yarn,mapred + Root Queue ACLs set to " " + HistoryServer runs as mapred
- Run a sample MR job using systest user
- Once the job is complete, access the job logs using hue user from YARN UI2.
YARN CLI works fine and does not allow hue user to view systest user job logs.
[hue@pjoseph-cm-2 /]$
[hue@pjoseph-cm-2 /]$ yarn logs -applicationId application_1594188841761_0002
WARNING: YARN_OPTS has been replaced by HADOOP_OPTS. Using value of YARN_OPTS.
20/07/08 07:23:08 INFO client.RMProxy: Connecting to ResourceManager at rmhostname:8032
Permission denied: user=hue, access=EXECUTE, inode="/tmp/logs/systest":systest:hadoop:drwxrwx---
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:496)
Attachments
Attachments
Issue Links
- duplicates
-
YARN-10870 Missing user filtering check -> yarn.webapp.filter-entity-list-by-user for RM Scheduler page
-
- Resolved
-
- is caused by
-
-
- Resolved
-
- links to