YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S.

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java

@@ -3532,9 +3532,9 @@ static boolean validateAuthUserWithEntityUser(
   static boolean checkAccess(TimelineReaderManager readerManager,
       UserGroupInformation ugi, String entityUser) {
     if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) {
-      if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi,
+      if (!validateAuthUserWithEntityUser(readerManager, ugi,
           entityUser)) {
-        String userName = ugi.getShortUserName();
+        String userName = ugi == null ? null : ugi.getShortUserName();
         String msg = "User " + userName
             + " is not allowed to read TimelineService V2 data.";
         throw new ForbiddenException(msg);

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java

@@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl {
     Assert.assertFalse(TimelineReaderWebServices
         .validateAuthUserWithEntityUser(manager, null, user1));
 
-    // true because ugi is null
-    Assert.assertTrue(
-        TimelineReaderWebServices.checkAccess(manager, null, user1));
+    // false because ugi is null in non-secure cluster. User must pass
+    // ?user.name as query params in REST end points.
+    try {
+      TimelineReaderWebServices.checkAccess(manager, null, user1);
+      Assert.fail("user1Ugi is not allowed to view user1");
+    } catch (ForbiddenException e) {
+      // expected
+    }
 
     // incoming ugi is admin asking for entity owner user1
     Assert.assertTrue(