diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 0d5f2cbacaf..72b43a084b4 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -3331,6 +3331,10 @@ public static boolean areNodeLabelsEnabled( public static final String TIMELINE_XFS_OPTIONS = TIMELINE_XFS_PREFIX + "xframe-options"; + // YARN top configurations + public static final String YARN_TOP_ACL = YARN_PREFIX + "top.acl"; + public static final String DEFAULT_YARN_TOP_ACL = ""; + public YarnConfiguration() { super(); } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java index cf7b7471859..6107f7cd0fd 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java @@ -62,6 +62,7 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.client.AuthenticatedURL; import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; +import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.util.Time; import org.apache.hadoop.util.ToolRunner; @@ -452,6 +453,16 @@ public static void main(String[] args) throws Exception { @Override public int run(String[] args) throws Exception { + AccessControlList acl = new AccessControlList(client.getConfig().get( + YarnConfiguration.YARN_TOP_ACL, YarnConfiguration + .DEFAULT_YARN_TOP_ACL)); + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + if (!acl.isUserAllowed(ugi)) { + System.out.println(ugi.getShortUserName() + " is not allowed to invoke " + + "YARN top."); + return 1; + } + try { parseOptions(args); if (cliParser.hasOption("help")) { diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java index 84cfb0ad222..9686999b07b 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java @@ -49,6 +49,7 @@ import org.apache.commons.cli.Options; import org.apache.commons.lang.time.DateFormatUtils; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.protocolrecords.UpdateApplicationTimeoutsRequest; import org.apache.hadoop.yarn.api.protocolrecords.UpdateApplicationTimeoutsResponse; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; @@ -2021,6 +2022,13 @@ private QueueCLI createAndGetQueueCLI() { return cli; } + private TopCLI createAndGetTopCLI() throws Exception { + TopCLI cli = new TopCLI(); + cli.setClient(client); + cli.setSysOutPrintStream(sysOut); + return cli; + } + private String createApplicationCLIHelpMessage() throws IOException { ByteArrayOutputStream baos = new ByteArrayOutputStream(); PrintWriter pw = new PrintWriter(baos); @@ -2178,4 +2186,15 @@ public void testUpdateApplicationTimeout() throws Exception { verify(client) .updateApplicationTimeouts(any(UpdateApplicationTimeoutsRequest.class)); } + + @Test + public void testTopACL() throws Exception { + TopCLI cli = createAndGetTopCLI(); + when(client.getConfig()).thenReturn(new YarnConfiguration()); + int ret = cli.run(new String[0]); + assertEquals(1, ret); + String expectedError = UserGroupInformation.getCurrentUser() + .getShortUserName() + " is not allowed to invoke YARN top."; + assertEquals(expectedError, sysOutStream.toString().trim()); + } }