YARN-8630. ATSv2 REST APIs should honor filter-entity-list-by-user in non-secure cluster when ACls are enabled. Contributed by Rohith Sharma K S.

(cherry picked from commit f4bda5e8e9)
This commit is contained in:
Sunil G 2018-09-13 17:47:02 +05:30
parent 74c00641f9
commit c879ca38de
2 changed files with 10 additions and 5 deletions

View File

@ -3532,9 +3532,9 @@ public class TimelineReaderWebServices {
static boolean checkAccess(TimelineReaderManager readerManager,
UserGroupInformation ugi, String entityUser) {
if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) {
if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi,
if (!validateAuthUserWithEntityUser(readerManager, ugi,
entityUser)) {
String userName = ugi.getShortUserName();
String userName = ugi == null ? null : ugi.getShortUserName();
String msg = "User " + userName
+ " is not allowed to read TimelineService V2 data.";
throw new ForbiddenException(msg);

View File

@ -88,9 +88,14 @@ public class TestTimelineReaderWebServicesBasicAcl {
Assert.assertFalse(TimelineReaderWebServices
.validateAuthUserWithEntityUser(manager, null, user1));
// true because ugi is null
Assert.assertTrue(
TimelineReaderWebServices.checkAccess(manager, null, user1));
// false because ugi is null in non-secure cluster. User must pass
// ?user.name as query params in REST end points.
try {
TimelineReaderWebServices.checkAccess(manager, null, user1);
Assert.fail("user1Ugi is not allowed to view user1");
} catch (ForbiddenException e) {
// expected
}
// incoming ugi is admin asking for entity owner user1
Assert.assertTrue(