YARN-8415. TimelineWebServices.getEntity should throw ForbiddenException instead of 404 when ACL checks fail. Contributed by Suma Shivaprasad.

2018-07-02 15:34:37 -07:00 · 2018-07-02 15:34:37 -07:00 · fa9ef15ecd
commit fa9ef15ecd
parent 53e267fa72
4 changed files with 17 additions and 2 deletions
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java
@ -413,6 +413,9 @@ public TimelineEntity getEntity(String entityId, String entityType,
      EnumSet<Field> fields) throws IOException {
    Long revStartTime = getStartTimeLong(entityId, entityType);
    if (revStartTime == null) {
+      if ( LOG.isDebugEnabled()) {
+        LOG.debug("Could not find start time for {} {} ", entityType, entityId);
+      }
      return null;
    }
    byte[] prefix = KeyBuilder.newInstance().add(entityType)
@ -421,6 +424,9 @@ public TimelineEntity getEntity(String entityId, String entityType,

    DB db = entitydb.getDBForStartTime(revStartTime);
    if (db == null) {
+      if ( LOG.isDebugEnabled()) {
+        LOG.debug("Could not find db for {} {} ", entityType, entityId);
+      }
      return null;
    }
    try (DBIterator iterator = db.iterator()) {
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java
@ -219,7 +219,12 @@ private TimelineEntity doGetEntity(
      // check ACLs
      if (!timelineACLsManager.checkAccess(
          callerUGI, ApplicationAccessType.VIEW_APP, entity)) {
-        entity = null;
+        final String user = callerUGI != null ? callerUGI.getShortUserName():
+            null;
+        throw new YarnException(
+            user + " is not allowed to get the timeline entity "
+            + "{ id: " + entity.getEntityId() + ", type: "
+            + entity.getEntityType() + " }.");
      }
    }
    return entity;
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java
@ -162,6 +162,10 @@ public TimelineEntity getEntity(
          parseStr(entityId),
          parseFieldsStr(fields, ","),
          getUser(req));
+    } catch (YarnException e) {
+      // The user doesn't have the access to override the existing domain.
+      LOG.info(e.getMessage(), e);
+      throw new ForbiddenException(e);
    } catch (IllegalArgumentException e) {
      throw new BadRequestException(e);
    } catch (Exception e) {
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
@ -709,7 +709,7 @@ public void testGetEntityWithYarnACLsEnabled() throws Exception {
          .get(ClientResponse.class);
      assertEquals(MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8,
          response.getType().toString());
-      assertResponseStatusCode(Status.NOT_FOUND, response.getStatusInfo());
+      assertResponseStatusCode(Status.FORBIDDEN, response.getStatusInfo());
    } finally {
      timelineACLsManager.setAdminACLsManager(oldAdminACLsManager);
    }