big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

YARN-8415. TimelineWebServices.getEntity should throw ForbiddenException instead of 404 when ACL checks fail. Contributed by Suma Shivaprasad.

Browse Source
This commit is contained in:
Sunil G 2018-07-02 15:34:37 -07:00
parent 53e267fa72
commit fa9ef15ecd
4 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/RollingLevelDBTimelineStore.java
View File

@ -413,6 +413,9 @@ public TimelineEntity getEntity(String entityId, String entityType,
EnumSet<Field> fields) throws IOException { EnumSet<Field> fields) throws IOException {
Long revStartTime = getStartTimeLong(entityId, entityType); Long revStartTime = getStartTimeLong(entityId, entityType);
if (revStartTime == null) { if (revStartTime == null) {
if ( LOG.isDebugEnabled()) {
LOG.debug("Could not find start time for {} {} ", entityType, entityId);
}
return null; return null;
} }
byte[] prefix = KeyBuilder.newInstance().add(entityType) byte[] prefix = KeyBuilder.newInstance().add(entityType)
@ -421,6 +424,9 @@ public TimelineEntity getEntity(String entityId, String entityType,
DB db = entitydb.getDBForStartTime(revStartTime); DB db = entitydb.getDBForStartTime(revStartTime);
if (db == null) { if (db == null) {
if ( LOG.isDebugEnabled()) {
LOG.debug("Could not find db for {} {} ", entityType, entityId);
}
return null; return null;
} }
try (DBIterator iterator = db.iterator()) { try (DBIterator iterator = db.iterator()) {

7
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/TimelineDataManager.java
View File

@ -219,7 +219,12 @@ private TimelineEntity doGetEntity(
// check ACLs // check ACLs
if (!timelineACLsManager.checkAccess( if (!timelineACLsManager.checkAccess(
callerUGI, ApplicationAccessType.VIEW_APP, entity)) { callerUGI, ApplicationAccessType.VIEW_APP, entity)) {
entity = null; final String user = callerUGI != null ? callerUGI.getShortUserName():
null;
throw new YarnException(
user + " is not allowed to get the timeline entity "
+ "{ id: " + entity.getEntityId() + ", type: "
+ entity.getEntityType() + " }.");
} }
} }
return entity; return entity;

4
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/main/java/org/apache/hadoop/yarn/server/timeline/webapp/TimelineWebServices.java
View File

@ -162,6 +162,10 @@ public TimelineEntity getEntity(
parseStr(entityId), parseStr(entityId),
parseFieldsStr(fields, ","), parseFieldsStr(fields, ","),
getUser(req)); getUser(req));
} catch (YarnException e) {
// The user doesn't have the access to override the existing domain.
LOG.info(e.getMessage(), e);
throw new ForbiddenException(e);
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
throw new BadRequestException(e); throw new BadRequestException(e);
} catch (Exception e) { } catch (Exception e) {

2
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/webapp/TestTimelineWebServices.java
View File

@ -709,7 +709,7 @@ public void testGetEntityWithYarnACLsEnabled() throws Exception {
.get(ClientResponse.class); .get(ClientResponse.class);
assertEquals(MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
assertResponseStatusCode(Status.NOT_FOUND, response.getStatusInfo()); assertResponseStatusCode(Status.FORBIDDEN, response.getStatusInfo());
} finally { } finally {
timelineACLsManager.setAdminACLsManager(oldAdminACLsManager); timelineACLsManager.setAdminACLsManager(oldAdminACLsManager);
} }