YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S.

(cherry picked from commit f4bda5e8e9)
This commit is contained in:
Sunil G 2018-09-13 17:47:02 +05:30
parent 74c00641f9
commit c879ca38de
2 changed files with 10 additions and 5 deletions

View File

@ -3532,9 +3532,9 @@ public class TimelineReaderWebServices {
static boolean checkAccess(TimelineReaderManager readerManager, static boolean checkAccess(TimelineReaderManager readerManager,
UserGroupInformation ugi, String entityUser) { UserGroupInformation ugi, String entityUser) {
if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) { if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) {
if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi, if (!validateAuthUserWithEntityUser(readerManager, ugi,
entityUser)) { entityUser)) {
String userName = ugi.getShortUserName(); String userName = ugi == null ? null : ugi.getShortUserName();
String msg = "User " + userName String msg = "User " + userName
+ " is not allowed to read TimelineService V2 data."; + " is not allowed to read TimelineService V2 data.";
throw new ForbiddenException(msg); throw new ForbiddenException(msg);

View File

@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl {
Assert.assertFalse(TimelineReaderWebServices Assert.assertFalse(TimelineReaderWebServices
.validateAuthUserWithEntityUser(manager, null, user1)); .validateAuthUserWithEntityUser(manager, null, user1));
// true because ugi is null // false because ugi is null in non-secure cluster. User must pass
Assert.assertTrue( // ?user.name as query params in REST end points.
TimelineReaderWebServices.checkAccess(manager, null, user1)); try {
TimelineReaderWebServices.checkAccess(manager, null, user1);
Assert.fail("user1Ugi is not allowed to view user1");
} catch (ForbiddenException e) {
// expected
}
// incoming ugi is admin asking for entity owner user1 // incoming ugi is admin asking for entity owner user1
Assert.assertTrue( Assert.assertTrue(