YARN-10039. Allow disabling app submission from REST endpoints

This commit is contained in:
Jonathan Hung 2019-12-18 10:48:05 -08:00
parent fdd96e46d1
commit fddc3d55c3
4 changed files with 42 additions and 0 deletions

View File

@ -4219,6 +4219,10 @@ public class YarnConfiguration extends Configuration {
"yarn.webapp.filter-invalid-xml-chars";
public static final boolean DEFAULT_FILTER_INVALID_XML_CHARS = false;
public static final String ENABLE_REST_APP_SUBMISSIONS =
"yarn.webapp.enable-rest-app-submissions";
public static final boolean DEFAULT_ENABLE_REST_APP_SUBMISSIONS = true;
// RM and NM CSRF props
public static final String REST_CSRF = "webapp.rest-csrf.";
public static final String RM_CSRF_PREFIX = RM_PREFIX + REST_CSRF;

View File

@ -4487,4 +4487,10 @@
<name>yarn.workflow-id.tag-prefix</name>
<value>workflowid:</value>
</property>
<property>
<description>Whether or not to allow application submissions via REST. Default is true.</description>
<name>yarn.webapp.enable-rest-app-submissions</name>
<value>true</value>
</property>
</configuration>

View File

@ -244,6 +244,7 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
boolean isCentralizedNodeLabelConfiguration = true;
private boolean filterAppsByUser = false;
private boolean filterInvalidXMLChars = false;
private boolean enableRestAppSubmissions = true;
public final static String DELEGATION_TOKEN_HEADER =
"Hadoop-YARN-RM-Delegation-Token";
@ -262,6 +263,9 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
this.filterInvalidXMLChars = conf.getBoolean(
YarnConfiguration.FILTER_INVALID_XML_CHARS,
YarnConfiguration.DEFAULT_FILTER_INVALID_XML_CHARS);
this.enableRestAppSubmissions = conf.getBoolean(
YarnConfiguration.ENABLE_REST_APP_SUBMISSIONS,
YarnConfiguration.DEFAULT_ENABLE_REST_APP_SUBMISSIONS);
}
RMWebServices(ResourceManager rm, Configuration conf,
@ -1716,6 +1720,10 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
@Override
public Response createNewApplication(@Context HttpServletRequest hsr)
throws AuthorizationException, IOException, InterruptedException {
if (!enableRestAppSubmissions) {
String msg = "App submission via REST is disabled.";
return Response.status(Status.FORBIDDEN).entity(msg).build();
}
UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
initForWritableEndpoints(callerUGI, false);
@ -1736,6 +1744,10 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
public Response submitApplication(ApplicationSubmissionContextInfo newApp,
@Context HttpServletRequest hsr)
throws AuthorizationException, IOException, InterruptedException {
if (!enableRestAppSubmissions) {
String msg = "App submission via REST is disabled.";
return Response.status(Status.FORBIDDEN).entity(msg).build();
}
UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
initForWritableEndpoints(callerUGI, false);

View File

@ -43,6 +43,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@ -76,6 +77,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmissionContextInfo;
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.AppsInfo;
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ClusterUserInfo;
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
@ -952,6 +954,24 @@ public class TestRMWebServices extends JerseyTestBase {
"java.lang.Exception: \uFFFD", appsInfo.getApps().get(0).getNote());
}
@Test
public void testDisableRestAppSubmission() throws Exception {
Configuration conf = new YarnConfiguration();
conf.setBoolean(YarnConfiguration.ENABLE_REST_APP_SUBMISSIONS, false);
RMWebServices webSvc = new RMWebServices(mock(ResourceManager.class), conf,
mock(HttpServletResponse.class));
HttpServletRequest request = mock(HttpServletRequest.class);
Response response = webSvc.createNewApplication(request);
assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
assertEquals("App submission via REST is disabled.", response.getEntity());
response = webSvc.submitApplication(
mock(ApplicationSubmissionContextInfo.class), request);
assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
assertEquals("App submission via REST is disabled.", response.getEntity());
}
public void verifyClusterUserInfo(ClusterUserInfo userInfo,
String rmLoginUser, String requestedUser) {
assertEquals("rmLoginUser doesn't match: ",