This is an automated email from the ASF dual-hosted git repository. brahma pushed a commit to branch branch-3.3 in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.3 by this push: new e079aaa MAPREDUCE-7199. HsJobsBlock reuse JobACLsManager for checkAccess. Contributed by Bilwa S T e079aaa is described below commit e079aaa8200d840c522e391b650d2b8e833ece89 Author: Surendra Singh Lilhore <surendralilh...@apache.org> AuthorDate: Sat Apr 18 19:42:20 2020 +0530 MAPREDUCE-7199. HsJobsBlock reuse JobACLsManager for checkAccess. Contributed by Bilwa S T (cherry picked from commit a1b0697d379d33223ec1a46dfef31d6d226169bb) --- .../org/apache/hadoop/mapred/JobACLsManager.java | 2 +- .../hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java | 31 +++++----------------- 2 files changed, 7 insertions(+), 26 deletions(-) diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java index 7373f7a..1761500 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java @@ -117,7 +117,7 @@ public class JobACLsManager { // Allow Job-owner for any operation on the job if (isMRAdmin(callerUGI) || user.equals(jobOwner) - || jobACL.isUserAllowed(callerUGI)) { + || (null != jobACL && jobACL.isUserAllowed(callerUGI))) { return true; } diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java index 3f4daf9..6a83ac2 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java @@ -23,12 +23,12 @@ import java.util.Date; import org.apache.commons.text.StringEscapeUtils; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.mapreduce.MRConfig; +import org.apache.hadoop.mapred.JobACLsManager; +import org.apache.hadoop.mapreduce.JobACL; import org.apache.hadoop.mapreduce.v2.app.AppContext; import org.apache.hadoop.mapreduce.v2.app.job.Job; import org.apache.hadoop.mapreduce.v2.hs.webapp.dao.JobInfo; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.util.Times; @@ -49,8 +49,7 @@ public class HsJobsBlock extends HtmlBlock { new SimpleDateFormat("yyyy.MM.dd HH:mm:ss z"); private UserGroupInformation ugi; private boolean isFilterAppListByUserEnabled; - private boolean areAclsEnabled; - private AccessControlList adminAclList; + private JobACLsManager aclsManager; @Inject HsJobsBlock(Configuration conf, AppContext appCtx, ViewContext ctx) { @@ -58,8 +57,7 @@ public class HsJobsBlock extends HtmlBlock { appContext = appCtx; isFilterAppListByUserEnabled = conf .getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false); - areAclsEnabled = conf.getBoolean(MRConfig.MR_ACLS_ENABLED, false); - adminAclList = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " ")); + aclsManager = new JobACLsManager(conf); } /* @@ -94,8 +92,8 @@ public class HsJobsBlock extends HtmlBlock { JobInfo job = new JobInfo(j); ugi = getCallerUGI(); // Allow to list only per-user apps if incoming ugi has permission. - if (isFilterAppListByUserEnabled && ugi != null - && !checkAccess(job.getUserName())) { + if (isFilterAppListByUserEnabled && ugi != null && !aclsManager + .checkAccess(ugi, JobACL.VIEW_JOB, job.getUserName(), null)) { continue; } jobsTableData.append("[\"") @@ -160,21 +158,4 @@ public class HsJobsBlock extends HtmlBlock { __(). __(); } - - private boolean checkAccess(String userName) { - if(!areAclsEnabled) { - return true; - } - - // User could see its own job. - if (ugi.getShortUserName().equals(userName)) { - return true; - } - - // Admin could also see all jobs - if (adminAclList != null && adminAclList.isUserAllowed(ugi)) { - return true; - } - return false; - } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org