[
https://issues.apache.org/jira/browse/YARN-6937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
YunFan Zhou updated YARN-6937:
------------------------------
Description:
When I post entities to timeline server, and found that it throw the following
exception:
{code:java}
org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager.checkAccess(TimelineACLsManager.java:123)
at
org.apache.hadoop.yarn.server.timeline.TimelineDataManager.postEntities(TimelineDataManager.java:273)
at
org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices.postEntities(TimelineWebServices.java:260)
at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
{code}
In TimelineACLsManager#checkAccess logic:
{code:java}
public boolean checkAccess(UserGroupInformation callerUGI,
ApplicationAccessType applicationAccessType,
TimelineEntity entity) throws YarnException, IOException {
if (LOG.isDebugEnabled()) {
LOG.debug("Verifying the access of "
+ (callerUGI == null ? null : callerUGI.getShortUserName())
+ " on the timeline entity "
+ new EntityIdentifier(entity.getEntityId(), entity.getEntityType()));
}
if (!adminAclsManager.areACLsEnabled()) {
return true;
}
// find domain owner and acls
AccessControlListExt aclExt = aclExts.get(entity.getDomainId());
if (aclExt == null) {
aclExt = loadDomainFromTimelineStore(entity.getDomainId());
}
if (aclExt == null) {
throw new YarnException("Domain information of the timeline entity "
+ new EntityIdentifier(entity.getEntityId(), entity.getEntityType())
+ " doesn't exist.");
}
{code}
Even if you're an administrator, but you have not any permissions to do this.
I think it's perfect to do follow-up checks though the value of *aclExt* is
null:
{code:java}
if (callerUGI != null
&& (adminAclsManager.isAdmin(callerUGI) ||
callerUGI.getShortUserName().equals(owner) ||
domainACL.isUserAllowed(callerUGI))) {
return true;
}
return false;
{code}
Any suggestions?
was:
When I post entities to timeline server, and found that it throw the following
exception:
{code:java}
org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager.checkAccess(TimelineACLsManager.java:123)
at
org.apache.hadoop.yarn.server.timeline.TimelineDataManager.postEntities(TimelineDataManager.java:273)
at
org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices.postEntities(TimelineWebServices.java:260)
at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
{code}
In TimelineACLsManager#checkAccess logic:
> Admin cannot post entities when domain is not exists
> ----------------------------------------------------
>
> Key: YARN-6937
> URL: https://issues.apache.org/jira/browse/YARN-6937
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: YunFan Zhou
>
> When I post entities to timeline server, and found that it throw the
> following exception:
> {code:java}
> org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager.checkAccess(TimelineACLsManager.java:123)
> at
> org.apache.hadoop.yarn.server.timeline.TimelineDataManager.postEntities(TimelineDataManager.java:273)
> at
> org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices.postEntities(TimelineWebServices.java:260)
> at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> {code}
> In TimelineACLsManager#checkAccess logic:
> {code:java}
> public boolean checkAccess(UserGroupInformation callerUGI,
> ApplicationAccessType applicationAccessType,
> TimelineEntity entity) throws YarnException, IOException {
> if (LOG.isDebugEnabled()) {
> LOG.debug("Verifying the access of "
> + (callerUGI == null ? null : callerUGI.getShortUserName())
> + " on the timeline entity "
> + new EntityIdentifier(entity.getEntityId(),
> entity.getEntityType()));
> }
> if (!adminAclsManager.areACLsEnabled()) {
> return true;
> }
> // find domain owner and acls
> AccessControlListExt aclExt = aclExts.get(entity.getDomainId());
> if (aclExt == null) {
> aclExt = loadDomainFromTimelineStore(entity.getDomainId());
> }
> if (aclExt == null) {
> throw new YarnException("Domain information of the timeline entity "
> + new EntityIdentifier(entity.getEntityId(), entity.getEntityType())
> + " doesn't exist.");
> }
> {code}
> Even if you're an administrator, but you have not any permissions to do this.
> I think it's perfect to do follow-up checks though the value of *aclExt* is
> null:
> {code:java}
> if (callerUGI != null
> && (adminAclsManager.isAdmin(callerUGI) ||
> callerUGI.getShortUserName().equals(owner) ||
> domainACL.isUserAllowed(callerUGI))) {
> return true;
> }
> return false;
> {code}
> Any suggestions?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
