big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S.

Browse Source
This commit is contained in:
Sunil G 2018-09-13 17:47:02 +05:30
parent e084627150
commit f4bda5e8e9
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java
View File

@ -3532,9 +3532,9 @@ static boolean validateAuthUserWithEntityUser(
static boolean checkAccess(TimelineReaderManager readerManager, static boolean checkAccess(TimelineReaderManager readerManager,
UserGroupInformation ugi, String entityUser) { UserGroupInformation ugi, String entityUser) {
if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) { if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) {
if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi, if (!validateAuthUserWithEntityUser(readerManager, ugi,
entityUser)) { entityUser)) {
String userName = ugi.getShortUserName(); String userName = ugi == null ? null : ugi.getShortUserName();
String msg = "User " + userName String msg = "User " + userName
+ " is not allowed to read TimelineService V2 data."; + " is not allowed to read TimelineService V2 data.";
throw new ForbiddenException(msg); throw new ForbiddenException(msg);

11
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java
View File

@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl {
Assert.assertFalse(TimelineReaderWebServices Assert.assertFalse(TimelineReaderWebServices
.validateAuthUserWithEntityUser(manager, null, user1)); .validateAuthUserWithEntityUser(manager, null, user1));
// true because ugi is null // false because ugi is null in non-secure cluster. User must pass
Assert.assertTrue( // ?user.name as query params in REST end points.
TimelineReaderWebServices.checkAccess(manager, null, user1)); try {
TimelineReaderWebServices.checkAccess(manager, null, user1);
Assert.fail("user1Ugi is not allowed to view user1");
} catch (ForbiddenException e) {
// expected
}
// incoming ugi is admin asking for entity owner user1 // incoming ugi is admin asking for entity owner user1
Assert.assertTrue( Assert.assertTrue(