From cde5bfe3ecf888ef693234914e86507e452dc945 Mon Sep 17 00:00:00 2001 From: Jian He Date: Tue, 30 Dec 2014 17:15:37 -0800 Subject: [PATCH] YARN-2987. Fixed ClientRMService#getQueueInfo to check against queue and app ACLs. Contributed by Varun Saxena (cherry picked from commit e2351c7ae24cea9b217af4174512d279c55e8efd) --- hadoop-yarn-project/CHANGES.txt | 3 ++ .../resourcemanager/ClientRMService.java | 19 +++++++++++- .../resourcemanager/TestClientRMService.java | 31 ++++++++++++++++++- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index d52acc79854..6c280cb12ba 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -265,6 +265,9 @@ Release 2.7.0 - UNRELEASED YARN-2938. Fixed new findbugs warnings in hadoop-yarn-resourcemanager and hadoop-yarn-applicationhistoryservice. (Varun Saxena via zjshen) + YARN-2987. Fixed ClientRMService#getQueueInfo to check against queue and + app ACLs. (Varun Saxena via jianhe) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index abd08f10f8d..23c163a71cb 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -826,6 +826,14 @@ public class ClientRMService extends AbstractService implements @Override public GetQueueInfoResponse getQueueInfo(GetQueueInfoRequest request) throws YarnException { + UserGroupInformation callerUGI; + try { + callerUGI = UserGroupInformation.getCurrentUser(); + } catch (IOException ie) { + LOG.info("Error getting UGI ", ie); + throw RPCUtil.getRemoteException(ie); + } + GetQueueInfoResponse response = recordFactory.newRecordInstance(GetQueueInfoResponse.class); try { @@ -840,7 +848,16 @@ public class ClientRMService extends AbstractService implements appReports = new ArrayList(apps.size()); for (ApplicationAttemptId app : apps) { RMApp rmApp = rmContext.getRMApps().get(app.getApplicationId()); - appReports.add(rmApp.createAndGetApplicationReport(null, true)); + if (rmApp != null) { + // Check if user is allowed access to this app + if (!checkAccess(callerUGI, rmApp.getUser(), + ApplicationAccessType.VIEW_APP, rmApp)) { + continue; + } + appReports.add( + rmApp.createAndGetApplicationReport( + callerUGI.getUserName(), true)); + } } } queueInfo.setApplications(appReports); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java index a344e9a91ac..a68434664be 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestClientRMService.java @@ -553,8 +553,17 @@ public class TestClientRMService { YarnScheduler yarnScheduler = mock(YarnScheduler.class); RMContext rmContext = mock(RMContext.class); mockRMContext(yarnScheduler, rmContext); + + ApplicationACLsManager mockAclsManager = mock(ApplicationACLsManager.class); + QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class); + when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), + any(QueueACL.class), anyString())).thenReturn(true); + when(mockAclsManager.checkAccess(any(UserGroupInformation.class), + any(ApplicationAccessType.class), anyString(), + any(ApplicationId.class))).thenReturn(true); + ClientRMService rmService = new ClientRMService(rmContext, yarnScheduler, - null, null, null, null); + null, mockAclsManager, mockQueueACLsManager, null); GetQueueInfoRequest request = recordFactory .newRecordInstance(GetQueueInfoRequest.class); request.setQueueName("testqueue"); @@ -567,6 +576,26 @@ public class TestClientRMService { request.setIncludeApplications(true); // should not throw exception on nonexistent queue queueInfo = rmService.getQueueInfo(request); + + // Case where user does not have application access + ApplicationACLsManager mockAclsManager1 = + mock(ApplicationACLsManager.class); + QueueACLsManager mockQueueACLsManager1 = + mock(QueueACLsManager.class); + when(mockQueueACLsManager1.checkAccess(any(UserGroupInformation.class), + any(QueueACL.class), anyString())).thenReturn(false); + when(mockAclsManager1.checkAccess(any(UserGroupInformation.class), + any(ApplicationAccessType.class), anyString(), + any(ApplicationId.class))).thenReturn(false); + + ClientRMService rmService1 = new ClientRMService(rmContext, yarnScheduler, + null, mockAclsManager1, mockQueueACLsManager1, null); + request.setQueueName("testqueue"); + request.setIncludeApplications(true); + GetQueueInfoResponse queueInfo1 = rmService1.getQueueInfo(request); + List applications1 = queueInfo1.getQueueInfo() + .getApplications(); + Assert.assertEquals(0, applications1.size()); } private static final UserGroupInformation owner =