Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
-
Incompatible change
Description
YARN app -status command can report base on application ID or application name with some usability limitation. Application ID is globally unique, and it allows any user to query application status of any application. Application name is not globally unique, and it will only work for querying user's own application. This is somewhat restrictive for application administrator, but allowing other user to query any other user's application could consider a security hole as well. There are two possible options to reduce the inconsistency:
Option 1. Block other user from query application status. This may improve security in some sense, but it is an incompatible change. This is a simpler change by matching the owner of the application, and decide to report or not report.
Option 2. Add --user parameter to allow administrator to query application name ran by other user. This is a bigger change because application metadata is stored in user's own hdfs directory. There are security restriction that need to be defined.