From 8261f9e5710038ccbc475dbfcea3b9ae79b6f482 Mon Sep 17 00:00:00 2001 From: Rohith Sharma K S Date: Sat, 2 Jun 2018 09:29:06 +0530 Subject: [PATCH] More YARN pages need to honor yarn.resourcemanager.display.per-user-apps(addendum). Contributed by Sunil G. --- .../reader/TimelineReaderManager.java | 21 +++++++++++++++++++ .../reader/TimelineReaderWebServices.java | 18 ++++++++++------ 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java index 67e5849ed6a..8c7c974b5b3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java @@ -24,12 +24,14 @@ import java.util.Set; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.service.AbstractService; import org.apache.hadoop.yarn.api.records.timelineservice.FlowActivityEntity; import org.apache.hadoop.yarn.api.records.timelineservice.FlowRunEntity; import org.apache.hadoop.yarn.api.records.timelineservice.TimelineEntity; import org.apache.hadoop.yarn.api.records.timelineservice.TimelineEntityType; import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.apache.hadoop.yarn.security.AdminACLsManager; import org.apache.hadoop.yarn.server.timelineservice.storage.TimelineReader; /** @@ -42,12 +44,19 @@ import org.apache.hadoop.yarn.server.timelineservice.storage.TimelineReader; public class TimelineReaderManager extends AbstractService { private TimelineReader reader; + private AdminACLsManager adminACLsManager; public TimelineReaderManager(TimelineReader timelineReader) { super(TimelineReaderManager.class.getName()); this.reader = timelineReader; } + @Override + protected void serviceInit(Configuration conf) throws Exception { + // TODO Once ACLS story is played, this need to be removed or modified. + this.adminACLsManager = new AdminACLsManager(conf); + } + /** * Gets cluster ID from config yarn.resourcemanager.cluster-id * if not supplied by client. @@ -198,4 +207,16 @@ public class TimelineReaderManager extends AbstractService { context.setClusterId(getClusterID(context.getClusterId(), getConfig())); return reader.getEntityTypes(new TimelineReaderContext(context)); } + + /** + * The API to confirm is a User is allowed to read this data. + * @param callerUGI UserGroupInformation of the user + */ + public boolean checkAccess(UserGroupInformation callerUGI) { + // TODO to be removed or modified once ACL story is played + if (!adminACLsManager.areACLsEnabled()) { + return true; + } + return callerUGI != null && adminACLsManager.isAdmin(callerUGI); + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java index a671f33cbdd..7bf66b0bd76 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java @@ -1435,6 +1435,7 @@ public class TimelineReaderWebServices { long startTime = Time.monotonicNow(); init(res); TimelineReaderManager timelineReaderManager = getTimelineReaderManager(); + Configuration config = timelineReaderManager.getConfig(); Set entities = null; try { DateRange range = parseDateRange(dateRange); @@ -1454,15 +1455,15 @@ public class TimelineReaderWebServices { long endTime = Time.monotonicNow(); if (entities == null) { entities = Collections.emptySet(); - } else if (isDisplayEntityPerUserFilterEnabled( - timelineReaderManager.getConfig())) { + } else if (isDisplayEntityPerUserFilterEnabled(config)) { Set userEntities = new LinkedHashSet<>(); userEntities.addAll(entities); for (TimelineEntity entity : userEntities) { if (entity.getInfo() != null) { String userId = (String) entity.getInfo().get(FlowActivityEntity.USER_INFO_KEY); - if (!validateAuthUserWithEntityUser(callerUGI, userId)) { + if (!validateAuthUserWithEntityUser(timelineReaderManager, callerUGI, + userId)) { entities.remove(entity); } } @@ -3422,11 +3423,16 @@ public class TimelineReaderWebServices { } private boolean isDisplayEntityPerUserFilterEnabled(Configuration config) { - return config + return !config + .getBoolean(YarnConfiguration.TIMELINE_SERVICE_READ_AUTH_ENABLED, + YarnConfiguration.DEFAULT_TIMELINE_SERVICE_READ_AUTH_ENABLED) + && config .getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false); } - private boolean validateAuthUserWithEntityUser(UserGroupInformation ugi, + // TODO to be removed/modified once ACL story has played + private boolean validateAuthUserWithEntityUser( + TimelineReaderManager readerManager, UserGroupInformation ugi, String entityUser) { String authUser = TimelineReaderWebServicesUtils.getUserName(ugi); String requestedUser = TimelineReaderWebServicesUtils.parseStr(entityUser); @@ -3434,6 +3440,6 @@ public class TimelineReaderWebServices { LOG.debug( "Authenticated User: " + authUser + " Requested User:" + entityUser); } - return authUser.equals(requestedUser); + return (readerManager.checkAccess(ugi) || authUser.equals(requestedUser)); } }