[jira] [Comment Edited] (YARN-9039) App ACLs are not validated when serving logs from LogWebService

Bibin A Chundatt (JIRA) Thu, 29 Nov 2018 06:07:54 -0800


    [ 
https://issues.apache.org/jira/browse/YARN-9039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703216#comment-16703216
 ]


Bibin A Chundatt edited comment on YARN-9039 at 11/29/18 2:05 PM:
------------------------------------------------------------------

[~suma.shivaprasad] Please find the explanation
{code:java}
  protected boolean checkAcls(Configuration conf, ApplicationId appId,
      String owner, Map<ApplicationAccessType, String> appAcls,
      String remoteUser) {
    ApplicationACLsManager aclsManager = new ApplicationACLsManager(
        conf);
    aclsManager.addApplication(appId, appAcls);

    UserGroupInformation callerUGI = null;
    if (remoteUser != null) {
      callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
    }
    if (callerUGI != null && !aclsManager.checkAccess(callerUGI,
        ApplicationAccessType.VIEW_APP, owner, appId)) {
      return false;
    }
    return true;
  }
{code}
 * ApplicationACLsManager aclsManager = new ApplicationACLsManager(conf); – 
initialize adminACLManager
 * adminAclManager.<init>() – add _*Caller*_ to adminAcl list
{code:java}
      owner = UserGroupInformation.getCurrentUser();
      adminAcl.addUser(owner.getShortUserName());
{code}

 * aclsManager.checkAccess(callerUGI,ApplicationAccessType.VIEW_APP, owner, 
appId)) – checks adminAcl with _*caller*_ --> *true*
{code:java}
    if (this.adminAclsManager.isAdmin(callerUGI)
{code}


was (Author: bibinchundatt):
[~suma.shivaprasad]

{code}
  protected boolean checkAcls(Configuration conf, ApplicationId appId,
      String owner, Map<ApplicationAccessType, String> appAcls,
      String remoteUser) {
    ApplicationACLsManager aclsManager = new ApplicationACLsManager(
        conf);
    aclsManager.addApplication(appId, appAcls);

    UserGroupInformation callerUGI = null;
    if (remoteUser != null) {
      callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
    }
    if (callerUGI != null && !aclsManager.checkAccess(callerUGI,
        ApplicationAccessType.VIEW_APP, owner, appId)) {
      return false;
    }
    return true;
  }
{code}

    ApplicationACLsManager aclsManager = new ApplicationACLsManager(
        conf); -- adds adminACLManager

> App ACLs are not validated when serving logs from LogWebService
> ---------------------------------------------------------------
>
>                 Key: YARN-9039
>                 URL: https://issues.apache.org/jira/browse/YARN-9039
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: log-aggregation
>            Reporter: Suma Shivaprasad
>            Assignee: Suma Shivaprasad
>            Priority: Critical
>         Attachments: YARN-9039.1.patch, YARN-9039.2.patch, YARN-9039.3.patch
>
>
> App Acls are not being validated while serving logs through REST and UI2 via 
> Log Webservice



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Comment Edited] (YARN-9039) App ACLs are not validated when serving logs from LogWebService

Reply via email to