diff --git hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java index e8d4b4c..2a9fb69 100644 --- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java +++ hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java @@ -608,6 +608,8 @@ */ public static final String HADOOP_TOKEN_FILES = "hadoop.token.files"; + public static final String HADOOP_HTTP_AUTHENTICATION_SIMPLE_ANONYMOUS_ALLOWED = + "hadoop.http.authentication.simple.anonymous.allowed"; /** * @see diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java index 11bd9b4..324ea53 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java @@ -30,6 +30,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.http.RestCsrfPreventionFilter; @@ -70,6 +71,7 @@ protected ApplicationBaseProtocol appBaseProt; protected Configuration conf; protected ApplicationId appID = null; + private boolean unsecuredUIForSecuredCluster = false; @Inject protected AppBlock(ApplicationBaseProtocol appBaseProt, ViewContext ctx, @@ -77,6 +79,11 @@ protected AppBlock(ApplicationBaseProtocol appBaseProt, ViewContext ctx, super(ctx); this.appBaseProt = appBaseProt; this.conf = conf; + String auth = conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION); + // check if cluster is secured but UI allows for anonymous access + this.unsecuredUIForSecuredCluster = (auth != null) && auth.equals("kerberos") && + conf.getBoolean(CommonConfigurationKeys. + HADOOP_HTTP_AUTHENTICATION_SIMPLE_ANONYMOUS_ALLOWED, true); } @Override @@ -129,10 +136,13 @@ public ApplicationReport run() throws Exception { setTitle(join("Application ", aid)); + // YARN-6890. for secured cluster allow anonymous UI access, application kill + // shouldn't be there. if (webUiType != null && webUiType.equals(YarnWebParams.RM_WEB_UI) && conf.getBoolean(YarnConfiguration.RM_WEBAPP_UI_ACTIONS_ENABLED, - YarnConfiguration.DEFAULT_RM_WEBAPP_UI_ACTIONS_ENABLED)) { + YarnConfiguration.DEFAULT_RM_WEBAPP_UI_ACTIONS_ENABLED) + && !unsecuredUIForSecuredCluster) { // Application Kill html.div() .button()