Repository: tez Updated Branches: refs/heads/branch-0.7 850e9389e -> e2709dc74
TEZ-2922. Tez Live UI gives access denied for admins (cherry picked from commit b120e8e840489baa5b3316bbcd6e34262e579024) Project: http://git-wip-us.apache.org/repos/asf/tez/repo Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/e2709dc7 Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/e2709dc7 Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/e2709dc7 Branch: refs/heads/branch-0.7 Commit: e2709dc7429172511f6f11449c7643a429cc908c Parents: 850e938 Author: Jonathan Eagles <[email protected]> Authored: Wed Nov 4 17:20:52 2015 -0600 Committer: Jonathan Eagles <[email protected]> Committed: Wed Nov 4 17:25:11 2015 -0600 ---------------------------------------------------------------------- CHANGES.txt | 1 + docs/src/site/markdown/tez_acls.md | 11 +++++ .../common/security/ACLConfigurationParser.java | 10 ++-- .../apache/tez/common/security/ACLManager.java | 12 +++-- .../org/apache/tez/common/security/ACLType.java | 2 + .../security/TestACLConfigurationParser.java | 37 +++++++++++++-- .../tez/common/security/TestACLManager.java | 50 +++++++++++++++++++- 7 files changed, 109 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 886a9f2..f877ce9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -7,6 +7,7 @@ INCOMPATIBLE CHANGES TEZ-2679. Admin forms of launch env settings ALL CHANGES + TEZ-2922. Tez Live UI gives access denied for admins TEZ-2828. Fix typo in "Shuffle assigned " log statement in shuffle.orderedgrouped.Shuffle. TEZ-2909. Tez UI: Application link in All DAGs table is disable when applicationhistory is unavailable TEZ-2553. Tez UI: Tez UI Nits http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/docs/src/site/markdown/tez_acls.md ---------------------------------------------------------------------- diff --git a/docs/src/site/markdown/tez_acls.md b/docs/src/site/markdown/tez_acls.md index 2ac6830..28b309f 100644 --- a/docs/src/site/markdown/tez_acls.md +++ b/docs/src/site/markdown/tez_acls.md @@ -46,6 +46,17 @@ By default, ACLs are always enabled in Tez. To disable ACLs, set the following c > <value>false</value><br/> > </property><br/> +### YARN Administration ACLs + +YARN Administration ACLs are driven by configuration at the cluster level. YARN administrators are granted AM level view and modify permissions. One current limitation is that a modification to the cluster wide yarn.admin.acl configuration while an AM is running is not reflected in the AM view and modify ACLs. To setup the ACLs, the following properties need to be defined: + +> <property><br/> +> <name>yarn.admin.acl</name><br/> +> <value></value><br/> +> </property><br/> + +The format of the value is a comma-separated list of users and groups with the users and groups separated by a single whitespace. e.g. "user1,user2 group1,group2". To allow all users to do a given operation, the value "*" can be specified. + ### AM/Session Level ACLs AM/Session level ACLs are driven by configuration. To setup the ACLs, the following properties need to be defined: http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java ---------------------------------------------------------------------- diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java index 1c1d7f6..d788a46 100644 --- a/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java +++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java @@ -30,6 +30,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.tez.common.TezCommonUtils; import org.apache.tez.dag.api.TezConfiguration; import org.apache.tez.dag.api.TezConstants; @@ -63,9 +64,11 @@ public class ACLConfigurationParser { private void parse(boolean dagACLs) { if (!dagACLs) { + parseACLType(YarnConfiguration.YARN_ADMIN_ACL, ACLType.YARN_ADMIN_ACL); parseACLType(TezConfiguration.TEZ_AM_VIEW_ACLS, ACLType.AM_VIEW_ACL); parseACLType(TezConfiguration.TEZ_AM_MODIFY_ACLS, ACLType.AM_MODIFY_ACL); } else { + parseACLType(YarnConfiguration.YARN_ADMIN_ACL, ACLType.YARN_ADMIN_ACL); parseACLType(TezConstants.TEZ_DAG_VIEW_ACLS, ACLType.DAG_VIEW_ACL); parseACLType(TezConstants.TEZ_DAG_MODIFY_ACLS, ACLType.DAG_MODIFY_ACL); } @@ -111,14 +114,11 @@ public class ACLConfigurationParser { return; } if (userListStr.length() >= 1) { - allowedUsers.put(aclType, - Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(userListStr)))); + allowedUsers.put(aclType, Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(userListStr)))); } if (groupListStr != null && groupListStr.length() >= 1) { - allowedGroups.put(aclType, - Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(groupListStr)))); + allowedGroups.put(aclType, Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(groupListStr)))); } - } public Map<ACLType, Set<String>> getAllowedUsers() { http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java ---------------------------------------------------------------------- diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java index cebb17a..e1c7314 100644 --- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java +++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java @@ -141,21 +141,25 @@ public class ACLManager { } public boolean checkAMViewAccess(UserGroupInformation ugi) { - return checkAccess(ugi, ACLType.AM_VIEW_ACL); + return checkAccess(ugi, ACLType.AM_VIEW_ACL) + || checkAccess(ugi, ACLType.YARN_ADMIN_ACL); } public boolean checkAMModifyAccess(UserGroupInformation ugi) { - return checkAccess(ugi, ACLType.AM_MODIFY_ACL); + return checkAccess(ugi, ACLType.AM_MODIFY_ACL) + || checkAccess(ugi, ACLType.YARN_ADMIN_ACL); } public boolean checkDAGViewAccess(UserGroupInformation ugi) { return checkAccess(ugi, ACLType.AM_VIEW_ACL) - || checkAccess(ugi, ACLType.DAG_VIEW_ACL); + || checkAccess(ugi, ACLType.DAG_VIEW_ACL) + || checkAccess(ugi, ACLType.YARN_ADMIN_ACL); } public boolean checkDAGModifyAccess(UserGroupInformation ugi) { return checkAccess(ugi, ACLType.AM_MODIFY_ACL) - || checkAccess(ugi, ACLType.DAG_MODIFY_ACL); + || checkAccess(ugi, ACLType.DAG_MODIFY_ACL) + || checkAccess(ugi, ACLType.YARN_ADMIN_ACL); } public Map<ApplicationAccessType, String> toYARNACls() { http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java ---------------------------------------------------------------------- diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java index fd00f22..0202e1b 100644 --- a/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java +++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java @@ -25,6 +25,8 @@ import org.apache.hadoop.classification.InterfaceAudience.Private; */ @Private public enum ACLType { + /** YARN admin (view/modify) permissions on the Application Master */ + YARN_ADMIN_ACL, /** View permissions on the Application Master */ AM_VIEW_ACL, /** Modify permissions on the Application Master */ http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java ---------------------------------------------------------------------- diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java index a535d18..f1a2c49 100644 --- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java +++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java @@ -19,6 +19,7 @@ package org.apache.tez.common.security; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.tez.dag.api.TezConfiguration; import org.apache.tez.dag.api.TezConstants; import org.junit.Assert; @@ -30,8 +31,10 @@ public class TestACLConfigurationParser { public void testACLConfigParser() { Configuration conf = new Configuration(false); + String adminACLs = "admin1,admin4, admgrp3,admgrp4,admgrp5 "; String viewACLs = "user1,user4, grp3,grp4,grp5 "; String modifyACLs = "user3 "; + conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACLs); conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); ACLConfigurationParser parser = new ACLConfigurationParser(conf); @@ -40,11 +43,16 @@ public class TestACLConfigurationParser { Assert.assertTrue(parser.getAllowedUsers().get(ACLType.AM_VIEW_ACL).contains("user1")); Assert.assertFalse(parser.getAllowedUsers().get(ACLType.AM_VIEW_ACL).contains("user3")); Assert.assertTrue(parser.getAllowedUsers().get(ACLType.AM_VIEW_ACL).contains("user4")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4")); Assert.assertFalse(parser.getAllowedGroups().isEmpty()); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp3")); Assert.assertFalse(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp6")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp4")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp5")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5")); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); parser = new ACLConfigurationParser(conf); @@ -60,31 +68,43 @@ public class TestACLConfigurationParser { Assert.assertFalse(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp6")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp4")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp5")); - Assert.assertNull(parser.getAllowedGroups().get(ACLType.AM_MODIFY_ACL)); - + Assert.assertFalse(parser.getAllowedGroups().isEmpty()); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5")); } @Test(timeout = 5000) public void testGroupsOnly() { Configuration conf = new Configuration(false); + String adminACLs = "admin1,admin4, admgrp3,admgrp4,admgrp5 "; String viewACLs = " grp3,grp4,grp5"; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); + conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACLs); + ACLConfigurationParser parser = new ACLConfigurationParser(conf); - Assert.assertTrue(parser.getAllowedUsers().isEmpty()); + Assert.assertFalse(parser.getAllowedUsers().isEmpty()); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4")); Assert.assertFalse(parser.getAllowedGroups().isEmpty()); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp3")); Assert.assertFalse(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp6")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp4")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp5")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5")); } @Test(timeout = 5000) public void testDAGACLConfigParser() { Configuration conf = new Configuration(false); + String adminACLs = "admin1,admin4, admgrp3,admgrp4,admgrp5 "; String viewACLs = "user1,user4 grp3,grp4,grp5"; String modifyACLs = "user3 grp4"; conf.set(TezConstants.TEZ_DAG_VIEW_ACLS, viewACLs); + conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACLs); ACLConfigurationParser parser = new ACLConfigurationParser(conf, true); Assert.assertTrue(parser.getAllowedUsers().containsKey(ACLType.DAG_VIEW_ACL)); @@ -92,11 +112,16 @@ public class TestACLConfigurationParser { Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user1")); Assert.assertFalse(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user3")); Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user4")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4")); Assert.assertFalse(parser.getAllowedGroups().isEmpty()); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp3")); Assert.assertFalse(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp6")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp4")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp5")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5")); conf.set(TezConstants.TEZ_DAG_MODIFY_ACLS, modifyACLs); parser = new ACLConfigurationParser(conf, true); @@ -107,6 +132,8 @@ public class TestACLConfigurationParser { Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user4")); Assert.assertFalse(parser.getAllowedUsers().get(ACLType.DAG_MODIFY_ACL).contains("user1")); Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_MODIFY_ACL).contains("user3")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1")); + Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4")); Assert.assertFalse(parser.getAllowedGroups().isEmpty()); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp3")); Assert.assertFalse(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp6")); @@ -115,7 +142,9 @@ public class TestACLConfigurationParser { Assert.assertNotNull(parser.getAllowedGroups().get(ACLType.DAG_MODIFY_ACL)); Assert.assertFalse(parser.getAllowedGroups().get(ACLType.DAG_MODIFY_ACL).contains("grp6")); Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_MODIFY_ACL).contains("grp4")); - + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4")); + Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5")); } } http://git-wip-us.apache.org/repos/asf/tez/blob/e2709dc7/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java ---------------------------------------------------------------------- diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java index 56cd465..a88e801 100644 --- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java +++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java @@ -25,6 +25,7 @@ import java.util.Set; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAccessType; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.tez.dag.api.TezConfiguration; import org.apache.tez.dag.api.TezConstants; import org.junit.Assert; @@ -161,6 +162,7 @@ public class TestACLManager { String[] groups1 = new String[] {"grp1", "grp2"}; String[] groups2 = new String[] {"grp3", "grp4"}; String[] groups3 = new String[] {"grp5", "grp6"}; + String[] admingroup1 = new String[] {"admgrp1"}; UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 @@ -169,14 +171,19 @@ public class TestACLManager { UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); + UserGroupInformation admuser1 = UserGroupInformation.createUserForTesting("admuser1", admingroup1); + UserGroupInformation admuser2 = UserGroupInformation.createUserForTesting("admuser2", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. String viewACLs = "user1,user4,, grp3,grp4 "; // Modify ACLs: user3, grp6, grp7 String modifyACLs = "user3 grp6,grp7"; + // YARN Admin ACLs: admuser1, admgrp1 + String yarnAdminACLs = "admuser2, admgrp1 "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); + conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs); ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); @@ -187,6 +194,8 @@ public class TestACLManager { Assert.assertTrue(aclManager.checkAMViewAccess(user4)); Assert.assertFalse(aclManager.checkAMViewAccess(user5)); Assert.assertFalse(aclManager.checkAMViewAccess(user6)); + Assert.assertTrue(aclManager.checkAMViewAccess(admuser1)); + Assert.assertTrue(aclManager.checkAMViewAccess(admuser2)); Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser)); Assert.assertFalse(aclManager.checkAMModifyAccess(user1)); @@ -195,6 +204,8 @@ public class TestACLManager { Assert.assertFalse(aclManager.checkAMModifyAccess(user4)); Assert.assertTrue(aclManager.checkAMModifyAccess(user5)); Assert.assertFalse(aclManager.checkAMModifyAccess(user6)); + Assert.assertTrue(aclManager.checkAMModifyAccess(admuser1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(admuser2)); Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser)); Assert.assertTrue(aclManager.checkDAGViewAccess(user1)); @@ -203,6 +214,8 @@ public class TestACLManager { Assert.assertTrue(aclManager.checkDAGViewAccess(user4)); Assert.assertFalse(aclManager.checkDAGViewAccess(user5)); Assert.assertFalse(aclManager.checkDAGViewAccess(user6)); + Assert.assertTrue(aclManager.checkDAGViewAccess(admuser1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(admuser2)); Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user1)); @@ -211,7 +224,8 @@ public class TestACLManager { Assert.assertFalse(aclManager.checkDAGModifyAccess(user4)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user5)); Assert.assertFalse(aclManager.checkDAGModifyAccess(user6)); - + Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser2)); } @Test(timeout = 5000) @@ -219,6 +233,7 @@ public class TestACLManager { String[] groups1 = new String[] {"grp1", "grp2"}; String[] groups2 = new String[] {"grp3", "grp4"}; String[] groups3 = new String[] {"grp5", "grp6"}; + String[] admingroup1 = new String[] {"admgrp1"}; UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 @@ -227,14 +242,19 @@ public class TestACLManager { UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); + UserGroupInformation admuser1 = UserGroupInformation.createUserForTesting("admuser1", admingroup1); + UserGroupInformation admuser2 = UserGroupInformation.createUserForTesting("admuser2", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. String viewACLs = "user1,user4,, grp3,grp4 "; // Modify ACLs: user3, grp6, grp7 String modifyACLs = "user3 grp6,grp7"; + // YARN Admin ACLs: admuser1, admgrp1 + String yarnAdminACLs = "admuser2, admgrp1 "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); + conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs); // DAG View ACLs: user1, user4, grp3, grp4. String dagViewACLs = "user6, grp5 "; @@ -256,6 +276,8 @@ public class TestACLManager { Assert.assertTrue(aclManager.checkAMViewAccess(user4)); Assert.assertFalse(aclManager.checkAMViewAccess(user5)); Assert.assertFalse(aclManager.checkAMViewAccess(user6)); + Assert.assertTrue(aclManager.checkAMViewAccess(admuser1)); + Assert.assertTrue(aclManager.checkAMViewAccess(admuser2)); Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser)); Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser)); @@ -265,6 +287,8 @@ public class TestACLManager { Assert.assertFalse(aclManager.checkAMModifyAccess(user4)); Assert.assertTrue(aclManager.checkAMModifyAccess(user5)); Assert.assertFalse(aclManager.checkAMModifyAccess(user6)); + Assert.assertTrue(aclManager.checkAMModifyAccess(admuser1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(admuser2)); Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser)); Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser)); @@ -274,6 +298,8 @@ public class TestACLManager { Assert.assertTrue(aclManager.checkDAGViewAccess(user4)); Assert.assertTrue(aclManager.checkDAGViewAccess(user5)); Assert.assertTrue(aclManager.checkDAGViewAccess(user6)); + Assert.assertTrue(aclManager.checkDAGViewAccess(admuser1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(admuser2)); Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser)); Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser)); @@ -283,6 +309,8 @@ public class TestACLManager { Assert.assertFalse(aclManager.checkDAGModifyAccess(user4)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user5)); Assert.assertTrue(aclManager.checkDAGModifyAccess(user6)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser2)); } @@ -309,6 +337,26 @@ public class TestACLManager { } @Test(timeout = 5000) + public void testAdminWildCardCheck() { + Configuration conf = new Configuration(false); + String yarnAdminACLs = " * "; + conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs); + + UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups); + UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups); + + ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf); + Assert.assertTrue(aclManager.checkAMViewAccess(a1)); + Assert.assertTrue(aclManager.checkAMViewAccess(u1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(a1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(u1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(a1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(u1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(a1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(u1)); + } + + @Test(timeout = 5000) public void testACLsDisabled() { Configuration conf = new Configuration(false); conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false);
