More YARN pages need to honor yarn.resourcemanager.display.per-user-apps(addendum). Contributed by Sunil G.

2018-06-02 09:29:06 +05:30 · 2018-06-02 09:29:06 +05:30 · 8261f9e571
parent d5e69d8994
commit 8261f9e571
2 changed files with 33 additions and 6 deletions
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java
@ -24,12 +24,14 @@ import java.util.Set;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.service.AbstractService;
 import org.apache.hadoop.yarn.api.records.timelineservice.FlowActivityEntity;
 import org.apache.hadoop.yarn.api.records.timelineservice.FlowRunEntity;
 import org.apache.hadoop.yarn.api.records.timelineservice.TimelineEntity;
 import org.apache.hadoop.yarn.api.records.timelineservice.TimelineEntityType;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.security.AdminACLsManager;
 import org.apache.hadoop.yarn.server.timelineservice.storage.TimelineReader;

 /**
@ -42,12 +44,19 @@ import org.apache.hadoop.yarn.server.timelineservice.storage.TimelineReader;
 public class TimelineReaderManager extends AbstractService {

  private TimelineReader reader;
+  private AdminACLsManager adminACLsManager;

  public TimelineReaderManager(TimelineReader timelineReader) {
    super(TimelineReaderManager.class.getName());
    this.reader = timelineReader;
  }

+  @Override
+  protected void serviceInit(Configuration conf) throws Exception {
+    // TODO Once ACLS story is played, this need to be removed or modified.
+    this.adminACLsManager = new AdminACLsManager(conf);
+  }
+
  /**
   * Gets cluster ID from config yarn.resourcemanager.cluster-id
   * if not supplied by client.
@ -198,4 +207,16 @@ public class TimelineReaderManager extends AbstractService {
    context.setClusterId(getClusterID(context.getClusterId(), getConfig()));
    return reader.getEntityTypes(new TimelineReaderContext(context));
  }
+
+  /**
+   * The API to confirm is a User is allowed to read this data.
+   * @param callerUGI UserGroupInformation of the user
+   */
+  public boolean checkAccess(UserGroupInformation callerUGI) {
+    // TODO to be removed or modified once ACL story is played
+    if (!adminACLsManager.areACLsEnabled()) {
+      return true;
+    }
+    return callerUGI != null && adminACLsManager.isAdmin(callerUGI);
+  }
 }
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java
@ -1435,6 +1435,7 @@ public class TimelineReaderWebServices {
    long startTime = Time.monotonicNow();
    init(res);
    TimelineReaderManager timelineReaderManager = getTimelineReaderManager();
+    Configuration config = timelineReaderManager.getConfig();
    Set<TimelineEntity> entities = null;
    try {
      DateRange range = parseDateRange(dateRange);
@ -1454,15 +1455,15 @@ public class TimelineReaderWebServices {
    long endTime = Time.monotonicNow();
    if (entities == null) {
      entities = Collections.emptySet();
-    } else if (isDisplayEntityPerUserFilterEnabled(
-        timelineReaderManager.getConfig())) {
+    } else if (isDisplayEntityPerUserFilterEnabled(config)) {
      Set<TimelineEntity> userEntities = new LinkedHashSet<>();
      userEntities.addAll(entities);
      for (TimelineEntity entity : userEntities) {
        if (entity.getInfo() != null) {
          String userId =
              (String) entity.getInfo().get(FlowActivityEntity.USER_INFO_KEY);
-          if (!validateAuthUserWithEntityUser(callerUGI, userId)) {
+          if (!validateAuthUserWithEntityUser(timelineReaderManager, callerUGI,
+              userId)) {
            entities.remove(entity);
          }
        }
@ -3422,11 +3423,16 @@ public class TimelineReaderWebServices {
  }

  private boolean isDisplayEntityPerUserFilterEnabled(Configuration config) {
-    return config
+    return !config
+        .getBoolean(YarnConfiguration.TIMELINE_SERVICE_READ_AUTH_ENABLED,
+            YarnConfiguration.DEFAULT_TIMELINE_SERVICE_READ_AUTH_ENABLED)
+        && config
        .getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false);
  }

-  private boolean validateAuthUserWithEntityUser(UserGroupInformation ugi,
+  // TODO to be removed/modified once ACL story has played
+  private boolean validateAuthUserWithEntityUser(
+      TimelineReaderManager readerManager, UserGroupInformation ugi,
      String entityUser) {
    String authUser = TimelineReaderWebServicesUtils.getUserName(ugi);
    String requestedUser = TimelineReaderWebServicesUtils.parseStr(entityUser);
@ -3434,6 +3440,6 @@ public class TimelineReaderWebServices {
      LOG.debug(
          "Authenticated User: " + authUser + " Requested User:" + entityUser);
    }
-    return authUser.equals(requestedUser);
+    return (readerManager.checkAccess(ugi) || authUser.equals(requestedUser));
  }
 }