YARN-10039. Allow disabling app submission from REST endpoints
This commit is contained in:
parent
fdd96e46d1
commit
fddc3d55c3
|
@ -4219,6 +4219,10 @@ public class YarnConfiguration extends Configuration {
|
|||
"yarn.webapp.filter-invalid-xml-chars";
|
||||
public static final boolean DEFAULT_FILTER_INVALID_XML_CHARS = false;
|
||||
|
||||
public static final String ENABLE_REST_APP_SUBMISSIONS =
|
||||
"yarn.webapp.enable-rest-app-submissions";
|
||||
public static final boolean DEFAULT_ENABLE_REST_APP_SUBMISSIONS = true;
|
||||
|
||||
// RM and NM CSRF props
|
||||
public static final String REST_CSRF = "webapp.rest-csrf.";
|
||||
public static final String RM_CSRF_PREFIX = RM_PREFIX + REST_CSRF;
|
||||
|
|
|
@ -4487,4 +4487,10 @@
|
|||
<name>yarn.workflow-id.tag-prefix</name>
|
||||
<value>workflowid:</value>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<description>Whether or not to allow application submissions via REST. Default is true.</description>
|
||||
<name>yarn.webapp.enable-rest-app-submissions</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
</configuration>
|
||||
|
|
|
@ -244,6 +244,7 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
|
|||
boolean isCentralizedNodeLabelConfiguration = true;
|
||||
private boolean filterAppsByUser = false;
|
||||
private boolean filterInvalidXMLChars = false;
|
||||
private boolean enableRestAppSubmissions = true;
|
||||
|
||||
public final static String DELEGATION_TOKEN_HEADER =
|
||||
"Hadoop-YARN-RM-Delegation-Token";
|
||||
|
@ -262,6 +263,9 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
|
|||
this.filterInvalidXMLChars = conf.getBoolean(
|
||||
YarnConfiguration.FILTER_INVALID_XML_CHARS,
|
||||
YarnConfiguration.DEFAULT_FILTER_INVALID_XML_CHARS);
|
||||
this.enableRestAppSubmissions = conf.getBoolean(
|
||||
YarnConfiguration.ENABLE_REST_APP_SUBMISSIONS,
|
||||
YarnConfiguration.DEFAULT_ENABLE_REST_APP_SUBMISSIONS);
|
||||
}
|
||||
|
||||
RMWebServices(ResourceManager rm, Configuration conf,
|
||||
|
@ -1716,6 +1720,10 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
|
|||
@Override
|
||||
public Response createNewApplication(@Context HttpServletRequest hsr)
|
||||
throws AuthorizationException, IOException, InterruptedException {
|
||||
if (!enableRestAppSubmissions) {
|
||||
String msg = "App submission via REST is disabled.";
|
||||
return Response.status(Status.FORBIDDEN).entity(msg).build();
|
||||
}
|
||||
UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
|
||||
initForWritableEndpoints(callerUGI, false);
|
||||
|
||||
|
@ -1736,6 +1744,10 @@ public class RMWebServices extends WebServices implements RMWebServiceProtocol {
|
|||
public Response submitApplication(ApplicationSubmissionContextInfo newApp,
|
||||
@Context HttpServletRequest hsr)
|
||||
throws AuthorizationException, IOException, InterruptedException {
|
||||
if (!enableRestAppSubmissions) {
|
||||
String msg = "App submission via REST is disabled.";
|
||||
return Response.status(Status.FORBIDDEN).entity(msg).build();
|
||||
}
|
||||
|
||||
UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
|
||||
initForWritableEndpoints(callerUGI, false);
|
||||
|
|
|
@ -43,6 +43,7 @@ import javax.servlet.http.HttpServletRequest;
|
|||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.ws.rs.core.HttpHeaders;
|
||||
import javax.ws.rs.core.MediaType;
|
||||
import javax.ws.rs.core.Response;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
|
||||
|
@ -76,6 +77,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler
|
|||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmissionContextInfo;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.AppsInfo;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ClusterUserInfo;
|
||||
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
||||
|
@ -952,6 +954,24 @@ public class TestRMWebServices extends JerseyTestBase {
|
|||
"java.lang.Exception: \uFFFD", appsInfo.getApps().get(0).getNote());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testDisableRestAppSubmission() throws Exception {
|
||||
Configuration conf = new YarnConfiguration();
|
||||
conf.setBoolean(YarnConfiguration.ENABLE_REST_APP_SUBMISSIONS, false);
|
||||
RMWebServices webSvc = new RMWebServices(mock(ResourceManager.class), conf,
|
||||
mock(HttpServletResponse.class));
|
||||
HttpServletRequest request = mock(HttpServletRequest.class);
|
||||
|
||||
Response response = webSvc.createNewApplication(request);
|
||||
assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
|
||||
assertEquals("App submission via REST is disabled.", response.getEntity());
|
||||
|
||||
response = webSvc.submitApplication(
|
||||
mock(ApplicationSubmissionContextInfo.class), request);
|
||||
assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
|
||||
assertEquals("App submission via REST is disabled.", response.getEntity());
|
||||
}
|
||||
|
||||
public void verifyClusterUserInfo(ClusterUserInfo userInfo,
|
||||
String rmLoginUser, String requestedUser) {
|
||||
assertEquals("rmLoginUser doesn't match: ",
|
||||
|
|
Loading…
Reference in New Issue