From b3b0e332e6d023052d7bf96c7c1f82abab939e03 Mon Sep 17 00:00:00 2001
From: Rohith Sharma K S <rohithsharmaks@apache.org>
Date: Wed, 20 Mar 2019 21:24:31 +0530
Subject: [PATCH] YARN-9299. TestTimelineReaderWhitelistAuthorizationFilter
 ignores Http Errors. Contributed by Prabhu Joseph.

---
 ...ineReaderWhitelistAuthorizationFilter.java | 58 +++++++++++++++----
 1 file changed, 46 insertions(+), 12 deletions(-)

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWhitelistAuthorizationFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWhitelistAuthorizationFilter.java
index 9ab9b27762..576699d12b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWhitelistAuthorizationFilter.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWhitelistAuthorizationFilter.java
@@ -21,6 +21,8 @@
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 import java.io.IOException;
 import java.security.Principal;
@@ -93,15 +95,19 @@ public void checkFilterAllowedUser() throws ServletException, IOException {
     FilterConfig fc = new DummyFilterConfig(map);
     f.init(fc);
     HttpServletRequest mockHsr = Mockito.mock(HttpServletRequest.class);
+    String userName = "user1";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
-        return "user1";
+        return userName;
       }
     });
 
     HttpServletResponse r = Mockito.mock(HttpServletResponse.class);
     f.doFilter(mockHsr, r, null);
+    String msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
   }
 
   @Test
@@ -143,15 +149,16 @@ public void checkFilterAllowedUserGroup()
     FilterConfig fc = new DummyFilterConfig(map);
     f.init(fc);
     HttpServletRequest mockHsr = Mockito.mock(HttpServletRequest.class);
+    String userName = "user1";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
-        return "user1";
+        return userName;
       }
     });
     HttpServletResponse r = Mockito.mock(HttpServletResponse.class);
     UserGroupInformation user1 =
-        UserGroupInformation.createUserForTesting("user1", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user1.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -159,6 +166,9 @@ public Object run() throws Exception {
         return null;
       }
     });
+    String msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
   }
 
   @Test
@@ -210,15 +220,16 @@ public void checkFilterAllowAdmins()
     FilterConfig fc = new DummyFilterConfig(map);
     f.init(fc);
     HttpServletRequest mockHsr = Mockito.mock(HttpServletRequest.class);
+    String userName = "user90";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
-        return "user90";
+        return userName;
       }
     });
     HttpServletResponse r = Mockito.mock(HttpServletResponse.class);
     UserGroupInformation user1 =
-        UserGroupInformation.createUserForTesting("user90", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user1.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -226,6 +237,9 @@ public Object run() throws Exception {
         return null;
       }
     });
+    String msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
   }
 
   @Test
@@ -240,15 +254,16 @@ public void checkFilterAllowAdminsWhenNoUsersSet()
     FilterConfig fc = new DummyFilterConfig(map);
     f.init(fc);
     HttpServletRequest mockHsr = Mockito.mock(HttpServletRequest.class);
+    String userName = "user90";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
-        return "user90";
+        return userName;
       }
     });
     HttpServletResponse r = Mockito.mock(HttpServletResponse.class);
     UserGroupInformation user1 =
-        UserGroupInformation.createUserForTesting("user90", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user1.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -256,6 +271,9 @@ public Object run() throws Exception {
         return null;
       }
     });
+    String msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
   }
 
   @Test
@@ -303,15 +321,16 @@ public void checkFilterReadAuthDisabledNoAclSettings()
     FilterConfig fc = new DummyFilterConfig(map);
     f.init(fc);
     HttpServletRequest mockHsr = Mockito.mock(HttpServletRequest.class);
+    String userName = "user437";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
-        return "user437";
+        return userName;
       }
     });
     HttpServletResponse r = Mockito.mock(HttpServletResponse.class);
     UserGroupInformation user1 =
-        UserGroupInformation.createUserForTesting("user437", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user1.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -319,6 +338,9 @@ public Object run() throws Exception {
         return null;
       }
     });
+    String msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
   }
 
   @Test
@@ -336,6 +358,7 @@ public void checkFilterReadAuthDisabledButAclSettingsPopulated()
     f.init(fc);
 
     HttpServletRequest mockHsr = mock(HttpServletRequest.class);
+    String userName = "user37";
     when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
@@ -348,7 +371,7 @@ public String getName() {
         // both username and group name are not part of admin and
         // read allowed users
         // but read auth is turned off
-        UserGroupInformation.createUserForTesting("user37", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user1.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -356,8 +379,12 @@ public Object run() throws Exception {
         return null;
       }
     });
+    String msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
 
     // test with username in read allowed users
+    userName = "user27";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
@@ -366,7 +393,7 @@ public String getName() {
     });
     HttpServletResponse r2 = Mockito.mock(HttpServletResponse.class);
     UserGroupInformation user2 =
-        UserGroupInformation.createUserForTesting("user27", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user2.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -374,8 +401,12 @@ public Object run() throws Exception {
         return null;
       }
     });
+    msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
 
     // test with username in admin users
+    userName = "user2";
     Mockito.when(mockHsr.getUserPrincipal()).thenReturn(new Principal() {
       @Override
       public String getName() {
@@ -384,7 +415,7 @@ public String getName() {
     });
     HttpServletResponse r3 = Mockito.mock(HttpServletResponse.class);
     UserGroupInformation user3 =
-        UserGroupInformation.createUserForTesting("user2", GROUP_NAMES);
+        UserGroupInformation.createUserForTesting(userName, GROUP_NAMES);
     user3.doAs(new PrivilegedExceptionAction<Object>() {
       @Override
       public Object run() throws Exception {
@@ -392,5 +423,8 @@ public Object run() throws Exception {
         return null;
       }
     });
+    msg = "User " + userName
+        + " is not allowed to read TimelineService V2 data.";
+    verify(r, times(0)).sendError(HttpServletResponse.SC_FORBIDDEN, msg);
   }
 }