YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S.
(cherry picked from commit f4bda5e8e9
)
This commit is contained in:
parent
74c00641f9
commit
c879ca38de
|
@ -3532,9 +3532,9 @@ public class TimelineReaderWebServices {
|
|||
static boolean checkAccess(TimelineReaderManager readerManager,
|
||||
UserGroupInformation ugi, String entityUser) {
|
||||
if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) {
|
||||
if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi,
|
||||
if (!validateAuthUserWithEntityUser(readerManager, ugi,
|
||||
entityUser)) {
|
||||
String userName = ugi.getShortUserName();
|
||||
String userName = ugi == null ? null : ugi.getShortUserName();
|
||||
String msg = "User " + userName
|
||||
+ " is not allowed to read TimelineService V2 data.";
|
||||
throw new ForbiddenException(msg);
|
||||
|
|
|
@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl {
|
|||
Assert.assertFalse(TimelineReaderWebServices
|
||||
.validateAuthUserWithEntityUser(manager, null, user1));
|
||||
|
||||
// true because ugi is null
|
||||
Assert.assertTrue(
|
||||
TimelineReaderWebServices.checkAccess(manager, null, user1));
|
||||
// false because ugi is null in non-secure cluster. User must pass
|
||||
// ?user.name as query params in REST end points.
|
||||
try {
|
||||
TimelineReaderWebServices.checkAccess(manager, null, user1);
|
||||
Assert.fail("user1Ugi is not allowed to view user1");
|
||||
} catch (ForbiddenException e) {
|
||||
// expected
|
||||
}
|
||||
|
||||
// incoming ugi is admin asking for entity owner user1
|
||||
Assert.assertTrue(
|
||||
|
|
Loading…
Reference in New Issue