YARN-8415. TimelineWebServices.getEntity should throw ForbiddenException instead of 404 when ACL checks fail. Contributed by Suma Shivaprasad.
This commit is contained in:
parent
53e267fa72
commit
fa9ef15ecd
|
@ -413,6 +413,9 @@ public class RollingLevelDBTimelineStore extends AbstractService implements
|
||||||
EnumSet<Field> fields) throws IOException {
|
EnumSet<Field> fields) throws IOException {
|
||||||
Long revStartTime = getStartTimeLong(entityId, entityType);
|
Long revStartTime = getStartTimeLong(entityId, entityType);
|
||||||
if (revStartTime == null) {
|
if (revStartTime == null) {
|
||||||
|
if ( LOG.isDebugEnabled()) {
|
||||||
|
LOG.debug("Could not find start time for {} {} ", entityType, entityId);
|
||||||
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
byte[] prefix = KeyBuilder.newInstance().add(entityType)
|
byte[] prefix = KeyBuilder.newInstance().add(entityType)
|
||||||
|
@ -421,6 +424,9 @@ public class RollingLevelDBTimelineStore extends AbstractService implements
|
||||||
|
|
||||||
DB db = entitydb.getDBForStartTime(revStartTime);
|
DB db = entitydb.getDBForStartTime(revStartTime);
|
||||||
if (db == null) {
|
if (db == null) {
|
||||||
|
if ( LOG.isDebugEnabled()) {
|
||||||
|
LOG.debug("Could not find db for {} {} ", entityType, entityId);
|
||||||
|
}
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
try (DBIterator iterator = db.iterator()) {
|
try (DBIterator iterator = db.iterator()) {
|
||||||
|
|
|
@ -219,7 +219,12 @@ public class TimelineDataManager extends AbstractService {
|
||||||
// check ACLs
|
// check ACLs
|
||||||
if (!timelineACLsManager.checkAccess(
|
if (!timelineACLsManager.checkAccess(
|
||||||
callerUGI, ApplicationAccessType.VIEW_APP, entity)) {
|
callerUGI, ApplicationAccessType.VIEW_APP, entity)) {
|
||||||
entity = null;
|
final String user = callerUGI != null ? callerUGI.getShortUserName():
|
||||||
|
null;
|
||||||
|
throw new YarnException(
|
||||||
|
user + " is not allowed to get the timeline entity "
|
||||||
|
+ "{ id: " + entity.getEntityId() + ", type: "
|
||||||
|
+ entity.getEntityType() + " }.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return entity;
|
return entity;
|
||||||
|
|
|
@ -162,6 +162,10 @@ public class TimelineWebServices {
|
||||||
parseStr(entityId),
|
parseStr(entityId),
|
||||||
parseFieldsStr(fields, ","),
|
parseFieldsStr(fields, ","),
|
||||||
getUser(req));
|
getUser(req));
|
||||||
|
} catch (YarnException e) {
|
||||||
|
// The user doesn't have the access to override the existing domain.
|
||||||
|
LOG.info(e.getMessage(), e);
|
||||||
|
throw new ForbiddenException(e);
|
||||||
} catch (IllegalArgumentException e) {
|
} catch (IllegalArgumentException e) {
|
||||||
throw new BadRequestException(e);
|
throw new BadRequestException(e);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
|
|
|
@ -709,7 +709,7 @@ public class TestTimelineWebServices extends JerseyTestBase {
|
||||||
.get(ClientResponse.class);
|
.get(ClientResponse.class);
|
||||||
assertEquals(MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8,
|
assertEquals(MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8,
|
||||||
response.getType().toString());
|
response.getType().toString());
|
||||||
assertResponseStatusCode(Status.NOT_FOUND, response.getStatusInfo());
|
assertResponseStatusCode(Status.FORBIDDEN, response.getStatusInfo());
|
||||||
} finally {
|
} finally {
|
||||||
timelineACLsManager.setAdminACLsManager(oldAdminACLsManager);
|
timelineACLsManager.setAdminACLsManager(oldAdminACLsManager);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue