big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MAPREDUCE-7199. HsJobsBlock reuse JobACLsManager for checkAccess. Contributed by Bilwa S T

Browse Source
This commit is contained in:
Surendra Singh Lilhore 2020-04-18 19:42:20 +05:30
parent 92b28e38b7
commit a1b0697d37
2 changed files with 7 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
View File

@ -117,7 +117,7 @@ public boolean checkAccess(UserGroupInformation callerUGI,
// Allow Job-owner for any operation on the job // Allow Job-owner for any operation on the job
if (isMRAdmin(callerUGI) if (isMRAdmin(callerUGI)
|| user.equals(jobOwner) || user.equals(jobOwner)
|| jobACL.isUserAllowed(callerUGI)) { || (null != jobACL && jobACL.isUserAllowed(callerUGI))) {
return true; return true;
} }

31
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
View File

@ -23,12 +23,12 @@
import org.apache.commons.text.StringEscapeUtils; import org.apache.commons.text.StringEscapeUtils;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.mapreduce.MRConfig; import org.apache.hadoop.mapred.JobACLsManager;
import org.apache.hadoop.mapreduce.JobACL;
import org.apache.hadoop.mapreduce.v2.app.AppContext; import org.apache.hadoop.mapreduce.v2.app.AppContext;
import org.apache.hadoop.mapreduce.v2.app.job.Job; import org.apache.hadoop.mapreduce.v2.app.job.Job;
import org.apache.hadoop.mapreduce.v2.hs.webapp.dao.JobInfo; import org.apache.hadoop.mapreduce.v2.hs.webapp.dao.JobInfo;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.util.Times; import org.apache.hadoop.yarn.util.Times;
@ -49,8 +49,7 @@ public class HsJobsBlock extends HtmlBlock {
new SimpleDateFormat("yyyy.MM.dd HH:mm:ss z"); new SimpleDateFormat("yyyy.MM.dd HH:mm:ss z");
private UserGroupInformation ugi; private UserGroupInformation ugi;
private boolean isFilterAppListByUserEnabled; private boolean isFilterAppListByUserEnabled;
private boolean areAclsEnabled; private JobACLsManager aclsManager;
private AccessControlList adminAclList;
@Inject @Inject
HsJobsBlock(Configuration conf, AppContext appCtx, ViewContext ctx) { HsJobsBlock(Configuration conf, AppContext appCtx, ViewContext ctx) {
@ -58,8 +57,7 @@ public class HsJobsBlock extends HtmlBlock {
appContext = appCtx; appContext = appCtx;
isFilterAppListByUserEnabled = conf isFilterAppListByUserEnabled = conf
.getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false); .getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false);
areAclsEnabled = conf.getBoolean(MRConfig.MR_ACLS_ENABLED, false); aclsManager = new JobACLsManager(conf);
adminAclList = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " "));
} }
/* /*
@ -94,8 +92,8 @@ public class HsJobsBlock extends HtmlBlock {
JobInfo job = new JobInfo(j); JobInfo job = new JobInfo(j);
ugi = getCallerUGI(); ugi = getCallerUGI();
// Allow to list only per-user apps if incoming ugi has permission. // Allow to list only per-user apps if incoming ugi has permission.
if (isFilterAppListByUserEnabled && ugi != null if (isFilterAppListByUserEnabled && ugi != null && !aclsManager
&& !checkAccess(job.getUserName())) { .checkAccess(ugi, JobACL.VIEW_JOB, job.getUserName(), null)) {
continue; continue;
} }
jobsTableData.append("[\"") jobsTableData.append("[\"")
@ -160,21 +158,4 @@ public class HsJobsBlock extends HtmlBlock {
__(). __().
__(); __();
} }
private boolean checkAccess(String userName) {
if(!areAclsEnabled) {
return true;
}
// User could see its own job.
if (ugi.getShortUserName().equals(userName)) {
return true;
}
// Admin could also see all jobs
if (adminAclList != null && adminAclList.isUserAllowed(ugi)) {
return true;
}
return false;
}
} }