diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
index 0d5f2cbacaf..6ebd05f3286 100644
--- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
+++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -3331,6 +3331,10 @@ public static boolean areNodeLabelsEnabled(
public static final String TIMELINE_XFS_OPTIONS =
TIMELINE_XFS_PREFIX + "xframe-options";
+ // YARN top configurations
+ public static final String YARN_TOP_ACL = YARN_PREFIX + "top.acl";
+ public static final String DEFAULT_YARN_TOP_ACL = "*";
+
public YarnConfiguration() {
super();
}
diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java
index cf7b7471859..6107f7cd0fd 100644
--- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java
+++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/TopCLI.java
@@ -62,6 +62,7 @@
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.util.Time;
import org.apache.hadoop.util.ToolRunner;
@@ -452,6 +453,16 @@ public static void main(String[] args) throws Exception {
@Override
public int run(String[] args) throws Exception {
+ AccessControlList acl = new AccessControlList(client.getConfig().get(
+ YarnConfiguration.YARN_TOP_ACL, YarnConfiguration
+ .DEFAULT_YARN_TOP_ACL));
+ UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+ if (!acl.isUserAllowed(ugi)) {
+ System.out.println(ugi.getShortUserName() + " is not allowed to invoke " +
+ "YARN top.");
+ return 1;
+ }
+
try {
parseOptions(args);
if (cliParser.hasOption("help")) {
diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java
index 84cfb0ad222..7a60c3fd883 100644
--- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java
+++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/cli/TestYarnCLI.java
@@ -49,6 +49,7 @@
import org.apache.commons.cli.Options;
import org.apache.commons.lang.time.DateFormatUtils;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.yarn.api.protocolrecords.UpdateApplicationTimeoutsRequest;
import org.apache.hadoop.yarn.api.protocolrecords.UpdateApplicationTimeoutsResponse;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
@@ -2021,6 +2022,13 @@ private QueueCLI createAndGetQueueCLI() {
return cli;
}
+ private TopCLI createAndGetTopCLI() throws Exception {
+ TopCLI cli = new TopCLI();
+ cli.setClient(client);
+ cli.setSysOutPrintStream(sysOut);
+ return cli;
+ }
+
private String createApplicationCLIHelpMessage() throws IOException {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PrintWriter pw = new PrintWriter(baos);
@@ -2178,4 +2186,17 @@ public void testUpdateApplicationTimeout() throws Exception {
verify(client)
.updateApplicationTimeouts(any(UpdateApplicationTimeoutsRequest.class));
}
+
+ @Test
+ public void testTopACL() throws Exception {
+ TopCLI cli = createAndGetTopCLI();
+ YarnConfiguration yarnConf = new YarnConfiguration();
+ yarnConf.set(YarnConfiguration.YARN_TOP_ACL, "");
+ when(client.getConfig()).thenReturn(yarnConf);
+ int ret = cli.run(new String[0]);
+ assertEquals(1, ret);
+ String expectedError = UserGroupInformation.getCurrentUser()
+ .getShortUserName() + " is not allowed to invoke YARN top.";
+ assertEquals(expectedError, sysOutStream.toString().trim());
+ }
}
diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
index 4e78947fb8e..a48a7807071 100644
--- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
+++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -3470,5 +3470,13 @@
auto
+
+
+ ACLs for YARN top. Users not in ACL are not allowed to invoke YARN top.
+ Everyone can invoke YARN top, as default.
+
+ yarn.top.acl
+ *
+