From fa9ef15ecd6dc30fb260e1c342a2b51505d39b6b Mon Sep 17 00:00:00 2001 From: Sunil G Date: Mon, 2 Jul 2018 15:34:37 -0700 Subject: [PATCH] YARN-8415. TimelineWebServices.getEntity should throw ForbiddenException instead of 404 when ACL checks fail. Contributed by Suma Shivaprasad. --- .../yarn/server/timeline/RollingLevelDBTimelineStore.java | 6 ++++++ .../hadoop/yarn/server/timeline/TimelineDataManager.java | 7 ++++++- .../yarn/server/timeline/webapp/TimelineWebServices.java | 4 ++++ .../server/timeline/webapp/TestTimelineWebServices.java | 2 +- 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java index 36b5ce8430..255547b18b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java @@ -413,6 +413,9 @@ public TimelineEntity getEntity(String entityId, String entityType, EnumSet fields) throws IOException { Long revStartTime = getStartTimeLong(entityId, entityType); if (revStartTime == null) { + if ( LOG.isDebugEnabled()) { + LOG.debug("Could not find start time for {} {} ", entityType, entityId); + } return null; } byte[] prefix = KeyBuilder.newInstance().add(entityType) @@ -421,6 +424,9 @@ public TimelineEntity getEntity(String entityId, String entityType, DB db = entitydb.getDBForStartTime(revStartTime); if (db == null) { + if ( LOG.isDebugEnabled()) { + LOG.debug("Could not find db for {} {} ", entityType, entityId); + } return null; } try (DBIterator iterator = db.iterator()) { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java index 56b71faf2e..c5381967e1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java @@ -219,7 +219,12 @@ private TimelineEntity doGetEntity( // check ACLs if (!timelineACLsManager.checkAccess( callerUGI, ApplicationAccessType.VIEW_APP, entity)) { - entity = null; + final String user = callerUGI != null ? callerUGI.getShortUserName(): + null; + throw new YarnException( + user + " is not allowed to get the timeline entity " + + "{ id: " + entity.getEntityId() + ", type: " + + entity.getEntityType() + " }."); } } return entity; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java index be8e3c599e..9423e7f71b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java @@ -162,6 +162,10 @@ public TimelineEntity getEntity( parseStr(entityId), parseFieldsStr(fields, ","), getUser(req)); + } catch (YarnException e) { + // The user doesn't have the access to override the existing domain. + LOG.info(e.getMessage(), e); + throw new ForbiddenException(e); } catch (IllegalArgumentException e) { throw new BadRequestException(e); } catch (Exception e) { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java index ca78cbcbab..b6d2967d2a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java @@ -709,7 +709,7 @@ public void testGetEntityWithYarnACLsEnabled() throws Exception { .get(ClientResponse.class); assertEquals(MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, response.getType().toString()); - assertResponseStatusCode(Status.NOT_FOUND, response.getStatusInfo()); + assertResponseStatusCode(Status.FORBIDDEN, response.getStatusInfo()); } finally { timelineACLsManager.setAdminACLsManager(oldAdminACLsManager); }