diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 37c81ec..d3c1f1a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -278,7 +278,11 @@ private static void addDeprecatedKeys() { public static final String YARN_ACL_ENABLE = YARN_PREFIX + "acl.enable"; public static final boolean DEFAULT_YARN_ACL_ENABLE = false; - + + public static boolean isAclEnabled(Configuration conf) { + return conf.getBoolean(YARN_ACL_ENABLE, DEFAULT_YARN_ACL_ENABLE); + } + /** ACL of who can be admin of YARN cluster.*/ public static final String YARN_ADMIN_ACL = YARN_PREFIX + "admin.acl"; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessRequest.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessRequest.java new file mode 100644 index 0000000..c4f65b8 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessRequest.java @@ -0,0 +1,71 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.yarn.security; + +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.yarn.api.records.ApplicationId; + +/** + * This request object contains all the context information to determine whether + * a user has permission to access the target entity. + * user : the user who's currently accessing + * accessType : the access type against the entity. + * entity : the target object user is accessing. + * appId : the associated app Id for current access. This could be null + * if no app is associated. + * appName : the associated app name for current access. This could be null if + * no app is associated. + */ +public class AccessRequest { + + private UserGroupInformation user; + private AccessType accessType; + private PrivilegedEntity entity; + private String appId; + private String appName; + + public AccessRequest(PrivilegedEntity entity, UserGroupInformation user, + AccessType accessType, String appId, String appName) { + this.entity = entity; + this.user = user; + this.accessType = accessType; + this.appId = appId; + this.appName = appName; + } + + public UserGroupInformation getUser() { + return user; + } + + public AccessType getAccessType() { + return accessType; + } + + public String getAppId() { + return appId; + } + + public String getAppName() { + return appName; + } + + public PrivilegedEntity getEntity() { + return entity; + } +} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java index 90ba77a..387dbd9 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java @@ -18,6 +18,7 @@ package org.apache.hadoop.yarn.security; +import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; @@ -38,11 +39,10 @@ @Unstable public class ConfiguredYarnAuthorizer extends YarnAuthorizationProvider { - private final ConcurrentMap> allAcls = - new ConcurrentHashMap<>(); + private final ConcurrentMap> + allAcls = new ConcurrentHashMap<>(); private volatile AccessControlList adminAcl = null; - @Override public void init(Configuration conf) { adminAcl = @@ -51,13 +51,14 @@ public void init(Configuration conf) { } @Override - public void setPermission(PrivilegedEntity target, - Map acls, UserGroupInformation ugi) { - allAcls.put(target, acls); + public synchronized void setPermission(List permissions, + UserGroupInformation user) { + for (Permission perm : permissions) { + allAcls.put(perm.getTarget(), perm.getAcls()); + } } - @Override - public boolean checkPermission(AccessType accessType, + private boolean checkPermissionInternal(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { boolean ret = false; Map acls = allAcls.get(target); @@ -74,14 +75,21 @@ public boolean checkPermission(AccessType accessType, if (!queueName.contains(".")) { return ret; } - String parentQueueName = queueName.substring(0, queueName.lastIndexOf(".")); - return checkPermission(accessType, new PrivilegedEntity(target.getType(), - parentQueueName), user); + String parentQueueName = + queueName.substring(0, queueName.lastIndexOf(".")); + return checkPermissionInternal(accessType, + new PrivilegedEntity(target.getType(), parentQueueName), user); } return ret; } @Override + public synchronized boolean checkPermission(AccessRequest accessRequest) { + return checkPermissionInternal(accessRequest.getAccessType(), + accessRequest.getEntity(), accessRequest.getUser()); + } + + @Override public void setAdmins(AccessControlList acls, UserGroupInformation ugi) { adminAcl = acls; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/Permission.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/Permission.java new file mode 100644 index 0000000..82ca59b --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/Permission.java @@ -0,0 +1,29 @@ +package org.apache.hadoop.yarn.security; + +import org.apache.hadoop.security.authorize.AccessControlList; + +import java.util.Map; + +/** + * This class contains permissions info for the target object. + */ +public class Permission { + + private PrivilegedEntity target; + private Map acls; + + public Permission(PrivilegedEntity target, + Map acls) { + this.target = target; + this.acls = acls; + } + + public Map getAcls() { + return acls; + } + + public PrivilegedEntity getTarget() { + return target; + } + +} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java index 7b2c35c..dd81ebd 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/YarnAuthorizationProvider.java @@ -18,8 +18,6 @@ package org.apache.hadoop.yarn.security; -import java.util.Map; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; @@ -30,6 +28,8 @@ import org.apache.hadoop.util.ReflectionUtils; import org.apache.hadoop.yarn.conf.YarnConfiguration; +import java.util.List; + /** * An implementation of the interface will provide authorization related * information and enforce permission check. It is excepted that any of the @@ -69,30 +69,22 @@ public static YarnAuthorizationProvider getInstance(Configuration conf) { /** * Check if user has the permission to access the target object. * - * @param accessType - * The type of accessing method. - * @param target - * The target object being accessed, e.g. app/queue - * @param user - * User who access the target + * @param accessRequest + * the request object which contains all the access context info. * @return true if user can access the object, otherwise false. */ - public abstract boolean checkPermission(AccessType accessType, - PrivilegedEntity target, UserGroupInformation user); + + public abstract boolean checkPermission(AccessRequest accessRequest); /** - * Set ACLs for the target object. AccessControlList class encapsulate the - * users and groups who can access the target. + * Set permissions for the target object. * - * @param target - * The target object. - * @param acls - * A map from access method to a list of users and/or groups who has - * permission to do the access. + * @param permissions + * A list of permissions on the target object. * @param ugi User who sets the permissions. */ - public abstract void setPermission(PrivilegedEntity target, - Map acls, UserGroupInformation ugi); + public abstract void setPermission(List permissions, + UserGroupInformation ugi); /** * Set a list of users/groups who have admin access diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index 4722e1c..8220991 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -129,6 +129,10 @@ import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; import org.apache.hadoop.yarn.ipc.RPCUtil; import org.apache.hadoop.yarn.ipc.YarnRPC; +import org.apache.hadoop.yarn.security.AccessRequest; +import org.apache.hadoop.yarn.security.PrivilegedEntity; +import org.apache.hadoop.yarn.security.PrivilegedEntity.EntityType; +import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants; import org.apache.hadoop.yarn.server.resourcemanager.nodelabels.RMNodeLabelsManager; @@ -149,7 +153,9 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeSignalContainerEvent; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerAppReport; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerNodeReport; +import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerUtils; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler; +import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler; import org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager; import org.apache.hadoop.yarn.server.resourcemanager.security.RMDelegationTokenSecretManager; import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider; @@ -187,6 +193,7 @@ private final ApplicationACLsManager applicationsACLsManager; private final QueueACLsManager queueACLsManager; + private YarnAuthorizationProvider authorizer; // For Reservation APIs private Clock clock; @@ -221,6 +228,7 @@ public ClientRMService(RMContext rmContext, YarnScheduler scheduler, this.reservationSystem = rmContext.getReservationSystem(); this.clock = clock; this.rValidator = new ReservationInputValidator(clock); + this.authorizer = YarnAuthorizationProvider.getInstance(getConfig()); } @Override @@ -292,12 +300,23 @@ public InetSocketAddress getBindAddress() { * @return */ private boolean checkAccess(UserGroupInformation callerUGI, String owner, - ApplicationAccessType operationPerformed, - RMApp application) { - return applicationsACLsManager.checkAccess(callerUGI, operationPerformed, - owner, application.getApplicationId()) - || queueACLsManager.checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, - application.getQueue()); + ApplicationAccessType operationPerformed, RMApp application) { + if (!YarnConfiguration.isAclEnabled(getConfig())) { + return true; + } + if (applicationsACLsManager.checkAccess(callerUGI, operationPerformed, + owner, application.getApplicationId())) { + return true; + } + if (scheduler instanceof CapacityScheduler) { + return authorizer.checkPermission(new AccessRequest( + new PrivilegedEntity(EntityType.QUEUE, application.getQueue()), + callerUGI, SchedulerUtils.toAccessType(QueueACL.ADMINISTER_QUEUE), + application.getApplicationId().toString(), application.getName())); + } else { + return queueACLsManager.checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, + application.getQueue()); + } } ApplicationId getNewApplicationId() { @@ -1376,6 +1395,7 @@ private void refreshScheduler(String planName, private String checkReservationACLs(String queueName, String auditConstant) throws YarnException { + UserGroupInformation callerUGI; try { callerUGI = UserGroupInformation.getCurrentUser(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java index 4344914..c1ecd98 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java @@ -41,6 +41,9 @@ import org.apache.hadoop.yarn.exceptions.InvalidResourceRequestException; import org.apache.hadoop.yarn.exceptions.YarnException; import org.apache.hadoop.yarn.ipc.RPCUtil; +import org.apache.hadoop.yarn.security.AccessRequest; +import org.apache.hadoop.yarn.security.PrivilegedEntity; +import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants; import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore; import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState; @@ -81,7 +84,8 @@ private final YarnScheduler scheduler; private final ApplicationACLsManager applicationACLsManager; private Configuration conf; - private boolean isAclEnabled = false; + private YarnAuthorizationProvider authorizer; + public RMAppManager(RMContext context, YarnScheduler scheduler, ApplicationMasterService masterService, ApplicationACLsManager applicationACLsManager, Configuration conf) { @@ -100,8 +104,7 @@ public RMAppManager(RMContext context, if (this.maxCompletedAppsInStateStore > this.maxCompletedAppsInMemory) { this.maxCompletedAppsInStateStore = this.maxCompletedAppsInMemory; } - this.isAclEnabled = conf.getBoolean(YarnConfiguration.YARN_ACL_ENABLE, - YarnConfiguration.DEFAULT_YARN_ACL_ENABLE); + this.authorizer = YarnAuthorizationProvider.getInstance(conf); } /** @@ -358,11 +361,20 @@ private RMAppImpl createAndPopulateNewRMApp( // fail here because queue will be created inside FS. Ideally, FS queue // mapping should be done outside scheduler too like CS. // For now, exclude FS for the acl check. - if (!isRecovery && isAclEnabled && scheduler instanceof CapacityScheduler && - !scheduler.checkAccess(userUgi, QueueACL.SUBMIT_APPLICATIONS, - submissionContext.getQueue()) && - !scheduler.checkAccess(userUgi, QueueACL.ADMINISTER_QUEUE, - submissionContext.getQueue())) { + if (!isRecovery && YarnConfiguration.isAclEnabled(conf) + && scheduler instanceof CapacityScheduler && + authorizer.checkPermission(new AccessRequest( + new PrivilegedEntity(PrivilegedEntity.EntityType.QUEUE, + submissionContext.getQueue()), userUgi, + SchedulerUtils.toAccessType(QueueACL.SUBMIT_APPLICATIONS), + submissionContext.getApplicationId().toString(), + submissionContext.getApplicationName())) && + authorizer.checkPermission(new AccessRequest( + new PrivilegedEntity(PrivilegedEntity.EntityType.QUEUE, + submissionContext.getQueue()), userUgi, + SchedulerUtils.toAccessType(QueueACL.ADMINISTER_QUEUE), + submissionContext.getApplicationId().toString(), + submissionContext.getApplicationName()))) { throw new AccessControlException( "User " + user + " does not have permission to submit " + applicationId + " to queue " + submissionContext.getQueue()); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java index acd7ae9..228cf70 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java @@ -38,6 +38,7 @@ import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; +import org.apache.hadoop.yarn.security.AccessRequest; import org.apache.hadoop.yarn.security.AccessType; import org.apache.hadoop.yarn.security.PrivilegedEntity; import org.apache.hadoop.yarn.security.PrivilegedEntity.EntityType; @@ -192,8 +193,9 @@ public synchronized void setParent(CSQueue newParentQueue) { @Override public boolean hasAccess(QueueACL acl, UserGroupInformation user) { - return authorizer.checkPermission(SchedulerUtils.toAccessType(acl), - queueEntity, user); + return authorizer.checkPermission( + new AccessRequest(queueEntity, user, SchedulerUtils.toAccessType(acl), + null, null)); } @Override diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java index c7b73fb..2959125 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java @@ -68,6 +68,7 @@ import org.apache.hadoop.yarn.exceptions.YarnException; import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; import org.apache.hadoop.yarn.proto.YarnServiceProtos.SchedulerResourceTypes; +import org.apache.hadoop.yarn.security.Permission; import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; import org.apache.hadoop.yarn.server.resourcemanager.RMContext; import org.apache.hadoop.yarn.server.resourcemanager.nodelabels.RMNodeLabelsManager; @@ -533,11 +534,13 @@ private void reinitializeQueues(CapacitySchedulerConfiguration conf) @VisibleForTesting public static void setQueueAcls(YarnAuthorizationProvider authorizer, Map queues) throws IOException { + List permissions = new ArrayList<>(); for (CSQueue queue : queues.values()) { AbstractCSQueue csQueue = (AbstractCSQueue) queue; - authorizer.setPermission(csQueue.getPrivilegedEntity(), - csQueue.getACLs(), UserGroupInformation.getCurrentUser()); + permissions.add( + new Permission(csQueue.getPrivilegedEntity(), csQueue.getACLs())); } + authorizer.setPermission(permissions, UserGroupInformation.getCurrentUser()); } private Map> getQueueToLabels() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java index e107537..ea6a9ba 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java @@ -110,6 +110,9 @@ import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; +import org.apache.hadoop.yarn.security.AccessRequest; +import org.apache.hadoop.yarn.security.PrivilegedEntity; +import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger; import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants; @@ -120,6 +123,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt; import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNode; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler; +import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerUtils; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CSQueue; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler; @@ -195,6 +199,7 @@ .getRecordFactory(null); private final Configuration conf; private @Context HttpServletResponse response; + private YarnAuthorizationProvider authorizer; @VisibleForTesting boolean isCentralizedNodeLabelConfiguration = true; @@ -207,6 +212,7 @@ public RMWebServices(final ResourceManager rm, Configuration conf) { super(rm.getClientRMService()); this.rm = rm; this.conf = conf; + this.authorizer = YarnAuthorizationProvider.getInstance(conf); isCentralizedNodeLabelConfiguration = YarnConfiguration.isCentralizedNodeLabelConfiguration(conf); } @@ -218,17 +224,30 @@ public RMWebServices(final ResourceManager rm, Configuration conf) { } protected Boolean hasAccess(RMApp app, HttpServletRequest hsr) { + if (!YarnConfiguration.isAclEnabled(conf)) { + return true; + } // Check for the authorization. UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI != null - && !(this.rm.getApplicationACLsManager().checkAccess(callerUGI, - ApplicationAccessType.VIEW_APP, app.getUser(), - app.getApplicationId()) || - this.rm.getQueueACLsManager().checkAccess(callerUGI, - QueueACL.ADMINISTER_QUEUE, app.getQueue()))) { - return false; - } - return true; + if (callerUGI == null) { + return true; + } + if (rm.getApplicationACLsManager() + .checkAccess(callerUGI, ApplicationAccessType.VIEW_APP, app.getUser(), + app.getApplicationId())) { + return true; + } + + if (rm.getResourceScheduler() instanceof CapacityScheduler) { + return authorizer.checkPermission(new AccessRequest( + new PrivilegedEntity(PrivilegedEntity.EntityType.QUEUE, + app.getQueue()), callerUGI, + SchedulerUtils.toAccessType(QueueACL.ADMINISTER_QUEUE), + app.getApplicationId().toString(), app.getName())); + } else { + return rm.getQueueACLsManager() + .checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, app.getQueue()); + } } private void init() {