diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java index 585faf86d5..1b0156ae19 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java @@ -30,6 +30,9 @@ *
  • * {@link #SUBMIT_APPLICATIONS} - ACL to submit applications to the queue. *
  • + *
  • + * {@link #VIEW_APPLICATIONS} - ACL to view applications to the queue. + *
  • *
  • {@link #ADMINISTER_QUEUE} - ACL to administer the queue.
  • * * @@ -45,6 +48,11 @@ SUBMIT_APPLICATIONS, /** + * ACL to view applications to the queue. + */ + VIEW_APPLICATIONS, + + /** * ACL to administer the queue. */ ADMINISTER_QUEUE, diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java index 32459b9688..590ba994bb 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java @@ -29,5 +29,6 @@ public enum AccessType { // queue SUBMIT_APP, + VIEW_APP, ADMINISTER_QUEUE, } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index 19284c7ec9..01f3d0afdf 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -277,10 +277,19 @@ public InetSocketAddress getBindAddress() { private boolean checkAccess(UserGroupInformation callerUGI, String owner, ApplicationAccessType operationPerformed, RMApp application) { - return applicationsACLsManager.checkAccess(callerUGI, operationPerformed, - owner, application.getApplicationId()) - || queueACLsManager.checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, + boolean canAccess = applicationsACLsManager.checkAccess( + callerUGI, operationPerformed, owner, + application.getApplicationId()) + || queueACLsManager.checkAccess( + callerUGI, QueueACL.ADMINISTER_QUEUE, application.getQueue()); + if (!canAccess && operationPerformed.equals( + ApplicationAccessType.VIEW_APP)) { + canAccess = queueACLsManager.checkAccess( + callerUGI, QueueACL.VIEW_APPLICATIONS, + application.getQueue()); + } + return canAccess; } ApplicationId getNewApplicationId() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java index 071f293810..bd112f94a3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java @@ -419,6 +419,8 @@ public static AccessType toAccessType(QueueACL acl) { return AccessType.ADMINISTER_QUEUE; case SUBMIT_APPLICATIONS: return AccessType.SUBMIT_APP; + case VIEW_APPLICATIONS: + return AccessType.VIEW_APP; } return null; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java index b99b2170d0..389f3d6be6 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java @@ -181,7 +181,9 @@ ApplicationResourceUsageReport getAppResourceUsageReport( /** * Check if the user has permission to perform the operation. * If the user has {@link QueueACL#ADMINISTER_QUEUE} permission, - * this user can view/modify the applications in this queue + * this user can view/modify the applications in this queue. + * If the user has {@link QueueACL#VIEW_APPLICATIONS} permission, + * this user can view the applications in this queue. * @param callerUGI * @param acl * @param queueName diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java index 81bef5c4a3..53f23cf9bf 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java @@ -504,6 +504,9 @@ private void loadQueue(String parentName, Element element, } else if ("aclSubmitApps".equals(field.getTagName())) { String text = ((Text)field.getFirstChild()).getData(); acls.put(QueueACL.SUBMIT_APPLICATIONS, new AccessControlList(text)); + } else if ("aclViewApps".equals(field.getTagName())) { + String text = ((Text)field.getFirstChild()).getData(); + acls.put(QueueACL.VIEW_APPLICATIONS, new AccessControlList(text)); } else if ("aclAdministerApps".equals(field.getTagName())) { String text = ((Text) field.getFirstChild()).getData(); acls.put(QueueACL.ADMINISTER_QUEUE, new AccessControlList(text)); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java index 3c166a5edc..b3525f9e13 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java @@ -199,6 +199,11 @@ public void testAllocationFileParsing() throws Exception { out.println(" 0.7"); out.println(" "); out.println(""); + // Give queue I no minimum + out.println(""); + out.println("alice,bob admins"); + out.println(""); + // Set default limit of apps per queue to 15 out.println("15"); // Set default limit of apps per user to 5 @@ -265,12 +270,16 @@ public void testAllocationFileParsing() throws Exception { QueueACL.ADMINISTER_QUEUE).getAclString()); assertEquals("*", queueConf.getQueueAcl("root", QueueACL.SUBMIT_APPLICATIONS).getAclString()); + assertEquals("*", queueConf.getQueueAcl("root", + QueueACL.VIEW_APPLICATIONS).getAclString()); // Unspecified queues should get default ACL assertEquals(" ", queueConf.getQueueAcl("root.queueA", QueueACL.ADMINISTER_QUEUE).getAclString()); assertEquals(" ", queueConf.getQueueAcl("root.queueA", QueueACL.SUBMIT_APPLICATIONS).getAclString()); + assertEquals(" ", queueConf.getQueueAcl("root.queueA", + QueueACL.VIEW_APPLICATIONS).getAclString()); // Queue B ACL assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueB", @@ -279,6 +288,10 @@ public void testAllocationFileParsing() throws Exception { // Queue C ACL assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueC", QueueACL.SUBMIT_APPLICATIONS).getAclString()); + + // Queue I ACL + assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueI", + QueueACL.VIEW_APPLICATIONS).getAclString()); assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root")); assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root." +