YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/f4bda5e8 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/f4bda5e8 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/f4bda5e8 Branch: refs/heads/HDFS-12943 Commit: f4bda5e8e9fee6c5a0dda7c79ef14e73aec20e7e Parents: e084627 Author: Sunil G <[email protected]> Authored: Thu Sep 13 17:47:02 2018 +0530 Committer: Sunil G <[email protected]> Committed: Thu Sep 13 17:47:21 2018 +0530 ---------------------------------------------------------------------- .../reader/TimelineReaderWebServices.java | 4 ++-- .../reader/TestTimelineReaderWebServicesBasicAcl.java | 11 ++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/f4bda5e8/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java index b10b705..3a4ea2e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java @@ -3532,9 +3532,9 @@ public class TimelineReaderWebServices { static boolean checkAccess(TimelineReaderManager readerManager, UserGroupInformation ugi, String entityUser) { if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) { - if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi, + if (!validateAuthUserWithEntityUser(readerManager, ugi, entityUser)) { - String userName = ugi.getShortUserName(); + String userName = ugi == null ? null : ugi.getShortUserName(); String msg = "User " + userName + " is not allowed to read TimelineService V2 data."; throw new ForbiddenException(msg); http://git-wip-us.apache.org/repos/asf/hadoop/blob/f4bda5e8/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java index 6651457..6ad4427 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java @@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl { Assert.assertFalse(TimelineReaderWebServices .validateAuthUserWithEntityUser(manager, null, user1)); - // true because ugi is null - Assert.assertTrue( - TimelineReaderWebServices.checkAccess(manager, null, user1)); + // false because ugi is null in non-secure cluster. User must pass + // ?user.name as query params in REST end points. + try { + TimelineReaderWebServices.checkAccess(manager, null, user1); + Assert.fail("user1Ugi is not allowed to view user1"); + } catch (ForbiddenException e) { + // expected + } // incoming ugi is admin asking for entity owner user1 Assert.assertTrue( --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
