diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java index 585faf8..5080970 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java @@ -30,7 +30,12 @@ *
  • * {@link #SUBMIT_APPLICATIONS} - ACL to submit applications to the queue. *
  • - *
  • {@link #ADMINISTER_QUEUE} - ACL to administer the queue.
  • + *
  • + * {@link #ADMINISTER_QUEUE} - ACL to administer the queue. + *
  • + *
  • + * {@link #VIEW_APPLICATIONS} - ACL to view applications to the queue. + *
  • * * * @see QueueInfo @@ -43,9 +48,15 @@ * ACL to submit applications to the queue. */ SUBMIT_APPLICATIONS, + /** * ACL to administer the queue. */ ADMINISTER_QUEUE, -} \ No newline at end of file + + /** + * ACL to view applications to the queue. + */ + VIEW_APPLICATIONS +} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto index 81ebd79..6f8fa02 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto @@ -482,6 +482,7 @@ message QueueConfigurationsMapProto { enum QueueACLProto { QACL_SUBMIT_APPLICATIONS = 1; QACL_ADMINISTER_QUEUE = 2; + QACL_VIEW_APPLICATIONS = 3; } message QueueUserACLInfoProto { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java index fb4484b..7e0e104 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java @@ -29,7 +29,8 @@ public enum AccessType { // queue SUBMIT_APP, + VIEW_APP, ADMINISTER_QUEUE, // application APPLICATION_MAX_PRIORITY, -} \ No newline at end of file +} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index 8b28d65..9603674 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -304,11 +304,18 @@ public InetSocketAddress getBindAddress() { */ private boolean checkAccess(UserGroupInformation callerUGI, String owner, ApplicationAccessType operationPerformed, RMApp application) { - return applicationsACLsManager + boolean canAccess = applicationsACLsManager .checkAccess(callerUGI, operationPerformed, owner, application.getApplicationId()) || queueACLsManager .checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, application, Server.getRemoteAddress(), null); + if (!canAccess && operationPerformed + .equals(ApplicationAccessType.VIEW_APP)) { + canAccess = queueACLsManager + .checkAccess(callerUGI, QueueACL.VIEW_APPLICATIONS, application, + Server.getRemoteAddress(), null); + } + return canAccess; } ApplicationId getNewApplicationId() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java index c67f1ce..519d546 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java @@ -346,6 +346,8 @@ public static AccessType toAccessType(QueueACL acl) { return AccessType.ADMINISTER_QUEUE; case SUBMIT_APPLICATIONS: return AccessType.SUBMIT_APP; + case VIEW_APPLICATIONS: + return AccessType.VIEW_APP; } return null; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java index 08e0603..1b5bf82 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java @@ -186,6 +186,8 @@ ApplicationResourceUsageReport getAppResourceUsageReport( * Check if the user has permission to perform the operation. * If the user has {@link QueueACL#ADMINISTER_QUEUE} permission, * this user can view/modify the applications in this queue + * If the user has {@link QueueACL#VIEW_APPLICATIONS} permission, + * this user can view the applications in this queue. * @param callerUGI * @param acl * @param queueName diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java index bc204cb..dcf2810 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java @@ -542,6 +542,9 @@ private void loadQueue(String parentName, Element element, } else if ("aclSubmitApps".equals(field.getTagName())) { String text = ((Text)field.getFirstChild()).getData(); acls.put(AccessType.SUBMIT_APP, new AccessControlList(text)); + } else if ("aclViewApps".equals(field.getTagName())) { + String text = ((Text)field.getFirstChild()).getData(); + acls.put(AccessType.VIEW_APP, new AccessControlList(text)); } else if ("aclAdministerApps".equals(field.getTagName())) { String text = ((Text)field.getFirstChild()).getData(); acls.put(AccessType.ADMINISTER_QUEUE, new AccessControlList(text)); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java index c8b9ad8..d021674 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestAllocationFileLoaderService.java @@ -198,6 +198,10 @@ public void testAllocationFileParsing() throws Exception { out.println(" 0.7"); out.println(" "); out.println(""); + // Give queue I no minimum + out.println(""); + out.println("alice,bob admins"); + out.println(""); // Set default limit of apps per queue to 15 out.println("15"); // Set default limit of max resource per queue to 4G and 100 cores @@ -228,7 +232,8 @@ public void testAllocationFileParsing() throws Exception { allocLoader.reloadAllocations(); AllocationConfiguration queueConf = confHolder.allocConf; - assertEquals(6, queueConf.getConfiguredQueues().get(FSQueueType.LEAF).size()); + assertEquals(7, queueConf.getConfiguredQueues().get( + FSQueueType.LEAF).size()); assertEquals(Resources.createResource(0), queueConf.getMinResources("root." + YarnConfiguration.DEFAULT_QUEUE_NAME)); assertEquals(Resources.createResource(0), @@ -323,6 +328,13 @@ public void testAllocationFileParsing() throws Exception { assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueC", QueueACL.SUBMIT_APPLICATIONS).getAclString()); + // Queue I ACL + assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueI", + QueueACL.VIEW_APPLICATIONS).getAclString()); + + assertEquals("*", queueConf.getQueueAcl("root", + QueueACL.VIEW_APPLICATIONS).getAclString()); + assertEquals(120000, queueConf.getMinSharePreemptionTimeout("root")); assertEquals(-1, queueConf.getMinSharePreemptionTimeout("root." + YarnConfiguration.DEFAULT_QUEUE_NAME)); @@ -474,6 +486,8 @@ public void testBackwardsCompatibleAllocationFileParsing() throws Exception { QueueACL.ADMINISTER_QUEUE).getAclString()); assertEquals(" ", queueConf.getQueueAcl("root.queueA", QueueACL.SUBMIT_APPLICATIONS).getAclString()); + assertEquals(" ", queueConf.getQueueAcl("root.queueA", + QueueACL.VIEW_APPLICATIONS).getAclString()); // Queue B ACL assertEquals("alice,bob admins", queueConf.getQueueAcl("root.queueB",