From c879ca38de218fa8a55230fc635e450b7fc5ee53 Mon Sep 17 00:00:00 2001 From: Sunil G Date: Thu, 13 Sep 2018 17:47:02 +0530 Subject: [PATCH] YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S. (cherry picked from commit f4bda5e8e9fee6c5a0dda7c79ef14e73aec20e7e) --- .../reader/TimelineReaderWebServices.java | 4 ++-- .../reader/TestTimelineReaderWebServicesBasicAcl.java | 11 ++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java index b10b705bb61..3a4ea2e99e3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java @@ -3532,9 +3532,9 @@ public class TimelineReaderWebServices { static boolean checkAccess(TimelineReaderManager readerManager, UserGroupInformation ugi, String entityUser) { if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) { - if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi, + if (!validateAuthUserWithEntityUser(readerManager, ugi, entityUser)) { - String userName = ugi.getShortUserName(); + String userName = ugi == null ? null : ugi.getShortUserName(); String msg = "User " + userName + " is not allowed to read TimelineService V2 data."; throw new ForbiddenException(msg); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java index 6651457ff75..6ad44272a89 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java @@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl { Assert.assertFalse(TimelineReaderWebServices .validateAuthUserWithEntityUser(manager, null, user1)); - // true because ugi is null - Assert.assertTrue( - TimelineReaderWebServices.checkAccess(manager, null, user1)); + // false because ugi is null in non-secure cluster. User must pass + // ?user.name as query params in REST end points. + try { + TimelineReaderWebServices.checkAccess(manager, null, user1); + Assert.fail("user1Ugi is not allowed to view user1"); + } catch (ForbiddenException e) { + // expected + } // incoming ugi is admin asking for entity owner user1 Assert.assertTrue(