diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java index 7373f7a1b6..1761500ff4 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java @@ -117,7 +117,7 @@ public boolean checkAccess(UserGroupInformation callerUGI, // Allow Job-owner for any operation on the job if (isMRAdmin(callerUGI) || user.equals(jobOwner) - || jobACL.isUserAllowed(callerUGI)) { + || (null != jobACL && jobACL.isUserAllowed(callerUGI))) { return true; } diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java index 3f4daf937d..6a83ac2625 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java @@ -23,12 +23,12 @@ import org.apache.commons.text.StringEscapeUtils; import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.mapreduce.MRConfig; +import org.apache.hadoop.mapred.JobACLsManager; +import org.apache.hadoop.mapreduce.JobACL; import org.apache.hadoop.mapreduce.v2.app.AppContext; import org.apache.hadoop.mapreduce.v2.app.job.Job; import org.apache.hadoop.mapreduce.v2.hs.webapp.dao.JobInfo; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.util.Times; @@ -49,8 +49,7 @@ public class HsJobsBlock extends HtmlBlock { new SimpleDateFormat("yyyy.MM.dd HH:mm:ss z"); private UserGroupInformation ugi; private boolean isFilterAppListByUserEnabled; - private boolean areAclsEnabled; - private AccessControlList adminAclList; + private JobACLsManager aclsManager; @Inject HsJobsBlock(Configuration conf, AppContext appCtx, ViewContext ctx) { @@ -58,8 +57,7 @@ public class HsJobsBlock extends HtmlBlock { appContext = appCtx; isFilterAppListByUserEnabled = conf .getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false); - areAclsEnabled = conf.getBoolean(MRConfig.MR_ACLS_ENABLED, false); - adminAclList = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " ")); + aclsManager = new JobACLsManager(conf); } /* @@ -94,8 +92,8 @@ public class HsJobsBlock extends HtmlBlock { JobInfo job = new JobInfo(j); ugi = getCallerUGI(); // Allow to list only per-user apps if incoming ugi has permission. - if (isFilterAppListByUserEnabled && ugi != null - && !checkAccess(job.getUserName())) { + if (isFilterAppListByUserEnabled && ugi != null && !aclsManager + .checkAccess(ugi, JobACL.VIEW_JOB, job.getUserName(), null)) { continue; } jobsTableData.append("[\"") @@ -160,21 +158,4 @@ public class HsJobsBlock extends HtmlBlock { __(). __(); } - - private boolean checkAccess(String userName) { - if(!areAclsEnabled) { - return true; - } - - // User could see its own job. - if (ugi.getShortUserName().equals(userName)) { - return true; - } - - // Admin could also see all jobs - if (adminAclList != null && adminAclList.isUserAllowed(ugi)) { - return true; - } - return false; - } }