diff --git hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java index e8d4b4c..4fda2b8 100644 --- hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java +++ hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java @@ -608,6 +608,8 @@ */ public static final String HADOOP_TOKEN_FILES = "hadoop.token.files"; + public static final String HADOOP_HTTP_AUTHENTICATION_TYPE = + "hadoop.http.authentication.type"; /** * @see diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java index d4090aa..846a381 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/webapp/AppBlock.java @@ -30,6 +30,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.http.RestCsrfPreventionFilter; @@ -70,6 +71,8 @@ protected ApplicationBaseProtocol appBaseProt; protected Configuration conf; protected ApplicationId appID = null; + private boolean unsecuredUIForSecuredCluster = false; + @Inject protected AppBlock(ApplicationBaseProtocol appBaseProt, ViewContext ctx, @@ -77,6 +80,11 @@ protected AppBlock(ApplicationBaseProtocol appBaseProt, ViewContext ctx, super(ctx); this.appBaseProt = appBaseProt; this.conf = conf; + String auth = conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION); + // check if cluster is secured but UI is unsecured. + String httpAuth = conf.get(CommonConfigurationKeys.HADOOP_HTTP_AUTHENTICATION_TYPE); + this.unsecuredUIForSecuredCluster = (auth != null) && auth.equals("kerberos") && + (httpAuth != null) && httpAuth.equals("simple"); } @Override @@ -129,10 +137,13 @@ public ApplicationReport run() throws Exception { setTitle(join("Application ", aid)); + // YARN-6890. for secured cluster allow anonymous UI access, application kill + // shouldn't be there. if (webUiType != null && webUiType.equals(YarnWebParams.RM_WEB_UI) && conf.getBoolean(YarnConfiguration.RM_WEBAPP_UI_ACTIONS_ENABLED, - YarnConfiguration.DEFAULT_RM_WEBAPP_UI_ACTIONS_ENABLED)) { + YarnConfiguration.DEFAULT_RM_WEBAPP_UI_ACTIONS_ENABLED) + && !unsecuredUIForSecuredCluster) { // Application Kill html.div() .button()