diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java
index 585faf86d5..1b0156ae19 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java
@@ -30,6 +30,9 @@
*
* {@link #SUBMIT_APPLICATIONS} - ACL to submit applications to the queue.
*
+ *
+ * {@link #VIEW_APPLICATIONS} - ACL to view applications to the queue.
+ *
* {@link #ADMINISTER_QUEUE} - ACL to administer the queue.
*
*
@@ -45,6 +48,11 @@
SUBMIT_APPLICATIONS,
/**
+ * ACL to view applications to the queue.
+ */
+ VIEW_APPLICATIONS,
+
+ /**
* ACL to administer the queue.
*/
ADMINISTER_QUEUE,
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
index 32459b9688..590ba994bb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java
@@ -29,5 +29,6 @@
public enum AccessType {
// queue
SUBMIT_APP,
+ VIEW_APP,
ADMINISTER_QUEUE,
}
\ No newline at end of file
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
index 19284c7ec9..01f3d0afdf 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java
@@ -277,10 +277,19 @@ public InetSocketAddress getBindAddress() {
private boolean checkAccess(UserGroupInformation callerUGI, String owner,
ApplicationAccessType operationPerformed,
RMApp application) {
- return applicationsACLsManager.checkAccess(callerUGI, operationPerformed,
- owner, application.getApplicationId())
- || queueACLsManager.checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE,
+ boolean canAccess = applicationsACLsManager.checkAccess(
+ callerUGI, operationPerformed, owner,
+ application.getApplicationId())
+ || queueACLsManager.checkAccess(
+ callerUGI, QueueACL.ADMINISTER_QUEUE,
application.getQueue());
+ if (!canAccess && operationPerformed.equals(
+ ApplicationAccessType.VIEW_APP)) {
+ canAccess = queueACLsManager.checkAccess(
+ callerUGI, QueueACL.VIEW_APPLICATIONS,
+ application.getQueue());
+ }
+ return canAccess;
}
ApplicationId getNewApplicationId() {
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
index 071f293810..bd112f94a3 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java
@@ -419,6 +419,8 @@ public static AccessType toAccessType(QueueACL acl) {
return AccessType.ADMINISTER_QUEUE;
case SUBMIT_APPLICATIONS:
return AccessType.SUBMIT_APP;
+ case VIEW_APPLICATIONS:
+ return AccessType.VIEW_APP;
}
return null;
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
index b99b2170d0..389f3d6be6 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java
@@ -181,7 +181,9 @@ ApplicationResourceUsageReport getAppResourceUsageReport(
/**
* Check if the user has permission to perform the operation.
* If the user has {@link QueueACL#ADMINISTER_QUEUE} permission,
- * this user can view/modify the applications in this queue
+ * this user can view/modify the applications in this queue.
+ * If the user has {@link QueueACL#VIEW_APPLICATIONS} permission,
+ * this user can view the applications in this queue.
* @param callerUGI
* @param acl
* @param queueName
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
index 81bef5c4a3..53f23cf9bf 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
@@ -504,6 +504,9 @@ private void loadQueue(String parentName, Element element,
} else if ("aclSubmitApps".equals(field.getTagName())) {
String text = ((Text)field.getFirstChild()).getData();
acls.put(QueueACL.SUBMIT_APPLICATIONS, new AccessControlList(text));
+ } else if ("aclViewApps".equals(field.getTagName())) {
+ String text = ((Text)field.getFirstChild()).getData();
+ acls.put(QueueACL.VIEW_APPLICATIONS, new AccessControlList(text));
} else if ("aclAdministerApps".equals(field.getTagName())) {
String text = ((Text) field.getFirstChild()).getData();
acls.put(QueueACL.ADMINISTER_QUEUE, new AccessControlList(text));
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java
index 3c166a5edc..b3525f9e13 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java
@@ -199,6 +199,11 @@ public void testAllocationFileParsing() throws Exception {
out.println(" 0.7");
out.println(" ");
out.println("");
+ // Give queue I no minimum
+ out.println("");
+ out.println("alice,bob admins");
+ out.println("");
+
// Set default limit of apps per queue to 15
out.println("15");
// Set default limit of apps per user to 5
@@ -265,12 +270,16 @@ public void testAllocationFileParsing() throws Exception {
QueueACL.ADMINISTER_QUEUE).getAclString());
assertEquals("*", queueConf.getQueueAcl("root",
QueueACL.SUBMIT_APPLICATIONS).getAclString());
+ assertEquals("*", queueConf.getQueueAcl("root",
+ QueueACL.VIEW_APPLICATIONS).getAclString());
// Unspecified queues should get default ACL
assertEquals(" ", queueConf.getQueueAcl("root.queueA",
QueueACL.ADMINISTER_QUEUE).getAclString());
assertEquals(" ", queueConf.getQueueAcl("root.queueA",
QueueACL.SUBMIT_APPLICATIONS).getAclString());
+ assertEquals(" ", queueConf.getQueueAcl("root.queueA",
+ QueueACL.VIEW_APPLICATIONS).getAclString());
// Queue B ACL
assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueB",
@@ -279,6 +288,10 @@ public void testAllocationFileParsing() throws Exception {
// Queue C ACL
assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueC",
QueueACL.SUBMIT_APPLICATIONS).getAclString());
+
+ // Queue I ACL
+ assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueI",
+ QueueACL.VIEW_APPLICATIONS).getAclString());
assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root"));
assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root." +