[jira] [Commented] (MAPREDUCE-7293) All pages in JHS should honor yarn.webapp.filter-entity-list-by-user

Sat, 22 Aug 2020 01:04:15 -0700 


    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-7293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17182270#comment-17182270
 ] 

Bilwa S T commented on MAPREDUCE-7293:
--------------------------------------

Hi [~sunilg]

I analysed this again and found that there is already checkAccess happening for 
all this pages in AppController#checkAccess. this will be called whenever 
getJob, getTask, getTasks calls are made. This works fine when AM is running 
but for JHS this is currently not working as jobACL info in below code is 
coming as null. This is an issue even in case of REST api calls. As checkAccess 
calls are being made from REST call too. I think solving jobACL issue would 
solve this problem. Hence no need to again add this to all other pages
{code:java}
@Override
 public
 boolean checkAccess(UserGroupInformation callerUGI, JobACL jobOperation) {
 Map<JobACL, AccessControlList> jobACLs = jobInfo.getJobACLs();
 AccessControlList jobACL = jobACLs.get(jobOperation);
 if (jobACL == null) {
 return true;
 }
 return aclsMgr.checkAccess(callerUGI, jobOperation, 
 jobInfo.getUsername(), jobACL);
 }{code}
Thanks for taking a look at this.

> All pages in JHS should honor yarn.webapp.filter-entity-list-by-user
> --------------------------------------------------------------------
>
>                 Key: MAPREDUCE-7293
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-7293
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: jobhistoryserver
>            Reporter: Bilwa S T
>            Assignee: Bilwa S T
>            Priority: Major
>
> Currently only HsJobsBlock checks for the access. If user who doesn't have 
> permission to access job page is able to do it which is wrong. So we need to 
> have below check in HsJobBlock,HsTasksBlock and HsTaskPage
> {code:java}
>       if (isFilterAppListByUserEnabled && ugi != null && !aclsManager
>           .checkAccess(ugi, JobACL.VIEW_JOB, job.getUserName(), null)) {
>         
>       }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to