From b2a82936833a155d85e1c0b17a6e1ff78fd98c8b Mon Sep 17 00:00:00 2001 From: Sunil G Date: Thu, 10 May 2018 21:20:41 +0530 Subject: [PATCH] YARN-8249 --- .../resourcemanager/webapp/RMWebServices.java | 266 +++++++-------------- .../resourcemanager/webapp/TestRMWebServices.java | 2 +- ...TestRMWebServicesHttpStaticUserPermissions.java | 14 +- 3 files changed, 96 insertions(+), 186 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java index 0564b6776ed..f32c02a1344 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java @@ -272,11 +272,44 @@ protected Boolean hasAccess(RMApp app, HttpServletRequest hsr) { return true; } - private void init() { + private void initForReadableEndpoints() { // clear content type response.setContentType(null); } + /** + * initForWritableEndpoints does the init and acls verification for all + * writable REST end points. + * @param callerUGI remote caller who initiated the request + * @param doAclsCheck boolean flag to indicate whether ACLs check is needed + * @throws AuthorizationException in case of no access to perfom this op. + */ + private void initForWritableEndpoints(UserGroupInformation callerUGI, + boolean doAclsCheck) throws AuthorizationException { + // clear content type + response.setContentType(null); + + if (callerUGI == null) { + String msg = "Unable to obtain user name, user not authenticated"; + throw new AuthorizationException(msg); + } + + if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { + String msg = "The default static user cannot carry out this operation."; + throw new ForbiddenException(msg); + } + + if (doAclsCheck) { + ApplicationACLsManager aclsManager = rm.getApplicationACLsManager(); + if (aclsManager.areACLsEnabled()) { + if (!aclsManager.isAdmin(callerUGI)) { + String msg = "Only admins can carry out this operation."; + throw new ForbiddenException(msg); + } + } + } + } + @GET @Produces({ MediaType.APPLICATION_JSON + "; " + JettyUtils.UTF_8, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @@ -291,7 +324,7 @@ public ClusterInfo get() { MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @Override public ClusterInfo getClusterInfo() { - init(); + initForReadableEndpoints(); return new ClusterInfo(this.rm); } @@ -301,7 +334,7 @@ public ClusterInfo getClusterInfo() { MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @Override public ClusterMetricsInfo getClusterMetricsInfo() { - init(); + initForReadableEndpoints(); return new ClusterMetricsInfo(this.rm); } @@ -311,7 +344,7 @@ public ClusterMetricsInfo getClusterMetricsInfo() { MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @Override public SchedulerTypeInfo getSchedulerInfo() { - init(); + initForReadableEndpoints(); ResourceScheduler rs = rm.getResourceScheduler(); SchedulerInfo sinfo; if (rs instanceof CapacityScheduler) { @@ -336,15 +369,8 @@ public SchedulerTypeInfo getSchedulerInfo() { @Override public String dumpSchedulerLogs(@FormParam(RMWSConsts.TIME) String time, @Context HttpServletRequest hsr) throws IOException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - ApplicationACLsManager aclsManager = rm.getApplicationACLsManager(); - if (aclsManager.areACLsEnabled()) { - if (callerUGI == null || !aclsManager.isAdmin(callerUGI)) { - String msg = "Only admins can carry out this operation."; - throw new ForbiddenException(msg); - } - } + initForWritableEndpoints(callerUGI, true); ResourceScheduler rs = rm.getResourceScheduler(); int period = Integer.parseInt(time); if (period <= 0) { @@ -370,7 +396,7 @@ public String dumpSchedulerLogs(@FormParam(RMWSConsts.TIME) String time, MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @Override public NodesInfo getNodes(@QueryParam(RMWSConsts.STATES) String states) { - init(); + initForReadableEndpoints(); ResourceScheduler sched = this.rm.getResourceScheduler(); if (sched == null) { throw new NotFoundException("Null ResourceScheduler instance"); @@ -409,7 +435,7 @@ public NodesInfo getNodes(@QueryParam(RMWSConsts.STATES) String states) { MediaType.APPLICATION_XML + "; " + JettyUtils.UTF_8 }) @Override public NodeInfo getNode(@PathParam(RMWSConsts.NODEID) String nodeId) { - init(); + initForReadableEndpoints(); if (nodeId == null || nodeId.isEmpty()) { throw new NotFoundException("nodeId, " + nodeId + ", is empty or null"); } @@ -467,7 +493,7 @@ public AppsInfo getApps(@Context HttpServletRequest hsr, long fBegin = 0; long fEnd = Long.MAX_VALUE; - init(); + initForReadableEndpoints(); if (count != null && !count.isEmpty()) { checkCount = true; countNum = Long.parseLong(count); @@ -760,7 +786,7 @@ public ApplicationStatisticsInfo getAppStatistics( @Context HttpServletRequest hsr, @QueryParam(RMWSConsts.STATES) Set stateQueries, @QueryParam(RMWSConsts.APPLICATION_TYPES) Set typeQueries) { - init(); + initForReadableEndpoints(); // parse the params and build the scoreboard // converting state/type name to lowercase @@ -847,7 +873,7 @@ private static void countApp( public AppInfo getApp(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId, @QueryParam(RMWSConsts.DESELECTS) Set unselectedFields) { - init(); + initForReadableEndpoints(); ApplicationId id = WebAppUtils.parseApplicationId(recordFactory, appId); RMApp app = rm.getRMContext().getRMApps().get(id); if (app == null) { @@ -869,7 +895,7 @@ public AppInfo getApp(@Context HttpServletRequest hsr, public AppAttemptsInfo getAppAttempts(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) { - init(); + initForReadableEndpoints(); ApplicationId id = WebAppUtils.parseApplicationId(recordFactory, appId); RMApp app = rm.getRMContext().getRMApps().get(id); if (app == null) { @@ -933,7 +959,7 @@ public ContainerInfo getContainer(@Context HttpServletRequest req, @Override public AppState getAppState(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException { - init(); + initForReadableEndpoints(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); String userName = ""; if (callerUGI != null) { @@ -969,18 +995,8 @@ public Response updateAppState(AppState targetState, @Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException, YarnException, InterruptedException, IOException { - - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - String msg = "Unable to obtain user name, user not authenticated"; - throw new AuthorizationException(msg); - } - - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); String userName = callerUGI.getUserName(); RMApp app = null; @@ -1019,7 +1035,7 @@ public Response updateAppState(AppState targetState, @Override public NodeToLabelsInfo getNodeToLabels(@Context HttpServletRequest hsr) throws IOException { - init(); + initForReadableEndpoints(); NodeToLabelsInfo ntl = new NodeToLabelsInfo(); HashMap ntlMap = ntl.getNodeToLabels(); @@ -1041,7 +1057,7 @@ public NodeToLabelsInfo getNodeToLabels(@Context HttpServletRequest hsr) @Override public LabelsToNodesInfo getLabelsToNodes( @QueryParam(RMWSConsts.LABELS) Set labels) throws IOException { - init(); + initForReadableEndpoints(); LabelsToNodesInfo lts = new LabelsToNodesInfo(); Map ltsMap = lts.getLabelsToNodes(); @@ -1073,6 +1089,9 @@ public LabelsToNodesInfo getLabelsToNodes( public Response replaceLabelsOnNodes( final NodeToLabelsEntryList newNodeToLabels, @Context HttpServletRequest hsr) throws IOException { + UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + initForWritableEndpoints(callerUGI, false); + Map> nodeIdToLabels = new HashMap>(); @@ -1094,6 +1113,9 @@ public Response replaceLabelsOnNode( @QueryParam("labels") Set newNodeLabelsName, @Context HttpServletRequest hsr, @PathParam("nodeId") String nodeId) throws Exception { + UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + initForWritableEndpoints(callerUGI, false); + NodeId nid = ConverterUtils.toNodeIdWithDefaultPort(nodeId); Map> newLabelsForNode = new HashMap>(); @@ -1106,7 +1128,6 @@ public Response replaceLabelsOnNode( private Response replaceLabelsOnNode( Map> newLabelsForNode, HttpServletRequest hsr, String operation) throws IOException { - init(); NodeLabelsUtils.verifyCentralizedNodeLabelConfEnabled("replaceLabelsOnNode", isCentralizedNodeLabelConfiguration); @@ -1140,7 +1161,7 @@ private Response replaceLabelsOnNode( @Override public NodeLabelsInfo getClusterNodeLabels(@Context HttpServletRequest hsr) throws IOException { - init(); + initForReadableEndpoints(); List nodeLabels = rm.getRMContext().getNodeLabelManager().getClusterNodeLabels(); @@ -1156,14 +1177,9 @@ public NodeLabelsInfo getClusterNodeLabels(@Context HttpServletRequest hsr) @Override public Response addToClusterNodeLabels(final NodeLabelsInfo newNodeLabels, @Context HttpServletRequest hsr) throws Exception { - init(); - UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - String msg = "Unable to obtain user name, user not authenticated for" - + " post to .../add-node-labels"; - throw new AuthorizationException(msg); - } + initForWritableEndpoints(callerUGI, false); + if (!rm.getRMContext().getNodeLabelManager().checkAccess(callerUGI)) { String msg = "User " + callerUGI.getShortUserName() + " not authorized" + " for post to .../add-node-labels "; @@ -1189,14 +1205,9 @@ public Response addToClusterNodeLabels(final NodeLabelsInfo newNodeLabels, public Response removeFromCluserNodeLabels( @QueryParam(RMWSConsts.LABELS) Set oldNodeLabels, @Context HttpServletRequest hsr) throws Exception { - init(); - UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - String msg = "Unable to obtain user name, user not authenticated for" - + " post to .../remove-node-labels"; - throw new AuthorizationException(msg); - } + initForWritableEndpoints(callerUGI, false); + if (!rm.getRMContext().getNodeLabelManager().checkAccess(callerUGI)) { String msg = "User " + callerUGI.getShortUserName() + " not authorized" + " for post to .../remove-node-labels "; @@ -1220,7 +1231,7 @@ public Response removeFromCluserNodeLabels( @Override public NodeLabelsInfo getLabelsOnNode(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.NODEID) String nodeId) throws IOException { - init(); + initForReadableEndpoints(); NodeId nid = ConverterUtils.toNodeIdWithDefaultPort(nodeId); List labels = new ArrayList( @@ -1290,7 +1301,7 @@ public KillApplicationResponse run() @Override public AppPriority getAppPriority(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException { - init(); + initForReadableEndpoints(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); String userName = "UNKNOWN-USER"; if (callerUGI != null) { @@ -1322,22 +1333,12 @@ public Response updateApplicationPriority(AppPriority targetPriority, @Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException, YarnException, InterruptedException, IOException { - init(); if (targetPriority == null) { throw new YarnException("Target Priority cannot be null"); } UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, user not authenticated"); - } - - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - return Response.status(Status.FORBIDDEN) - .entity("The default static user cannot carry out this operation.") - .build(); - } + initForWritableEndpoints(callerUGI, false); String userName = callerUGI.getUserName(); RMApp app = null; @@ -1407,7 +1408,7 @@ public Void run() throws IOException, YarnException { @Override public AppQueue getAppQueue(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException { - init(); + initForReadableEndpoints(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); String userName = "UNKNOWN-USER"; if (callerUGI != null) { @@ -1440,17 +1441,8 @@ public Response updateAppQueue(AppQueue targetQueue, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException, YarnException, InterruptedException, IOException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - String msg = "Unable to obtain user name, user not authenticated"; - throw new AuthorizationException(msg); - } - - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); String userName = callerUGI.getUserName(); RMApp app = null; @@ -1561,16 +1553,8 @@ private boolean isStaticUser(UserGroupInformation callerUGI) { @Override public Response createNewApplication(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, " + "user not authenticated"); - } - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); NewApplication appId = createNewApplication(); return Response.status(Status.OK).entity(appId).build(); @@ -1590,17 +1574,8 @@ public Response submitApplication(ApplicationSubmissionContextInfo newApp, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, " + "user not authenticated"); - } - - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); ApplicationSubmissionContext appContext = RMWebAppUtil.createAppSubmissionContext(newApp, conf); @@ -1654,14 +1629,9 @@ private NewApplication createNewApplication() { return appId; } - private UserGroupInformation createKerberosUserGroupInformation( - HttpServletRequest hsr) throws AuthorizationException, YarnException { - - UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - String msg = "Unable to obtain user name, user not authenticated"; - throw new AuthorizationException(msg); - } + private void createKerberosUserGroupInformation(HttpServletRequest hsr, + UserGroupInformation callerUGI) + throws AuthorizationException, YarnException { String authType = hsr.getAuthType(); if (!KerberosAuthenticationHandler.TYPE.equalsIgnoreCase(authType)) { @@ -1672,14 +1642,10 @@ private UserGroupInformation createKerberosUserGroupInformation( } if (hsr.getAttribute( DelegationTokenAuthenticationHandler.DELEGATION_TOKEN_UGI_ATTRIBUTE) != null) { - String msg = - "Delegation token operations cannot be carried out using delegation" - + " token authentication."; + String msg = "Delegation token operations cannot be carried out using delegation" + + " token authentication."; throw new YarnException(msg); } - - callerUGI.setAuthenticationMethod(AuthenticationMethod.KERBEROS); - return callerUGI; } @POST @@ -1692,10 +1658,11 @@ public Response postDelegationToken(DelegationToken tokenData, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception { - init(); - UserGroupInformation callerUGI; + UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + initForWritableEndpoints(callerUGI, false); try { - callerUGI = createKerberosUserGroupInformation(hsr); + createKerberosUserGroupInformation(hsr, callerUGI); + callerUGI.setAuthenticationMethod(AuthenticationMethod.KERBEROS); } catch (YarnException ye) { return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build(); } @@ -1712,10 +1679,11 @@ public Response postDelegationTokenExpiration(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception { - init(); - UserGroupInformation callerUGI; + UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + initForWritableEndpoints(callerUGI, false); try { - callerUGI = createKerberosUserGroupInformation(hsr); + createKerberosUserGroupInformation(hsr, callerUGI); + callerUGI.setAuthenticationMethod(AuthenticationMethod.KERBEROS); } catch (YarnException ye) { return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build(); } @@ -1827,10 +1795,11 @@ public Response cancelDelegationToken(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException, Exception { - init(); - UserGroupInformation callerUGI; + UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + initForWritableEndpoints(callerUGI, false); try { - callerUGI = createKerberosUserGroupInformation(hsr); + createKerberosUserGroupInformation(hsr, callerUGI); + callerUGI.setAuthenticationMethod(AuthenticationMethod.KERBEROS); } catch (YarnException ye) { return Response.status(Status.FORBIDDEN).entity(ye.getMessage()).build(); } @@ -1904,16 +1873,8 @@ public CancelDelegationTokenResponse run() @Override public Response createNewReservation(@Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, " + "user not authenticated"); - } - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); NewReservation reservationId = createNewReservation(); return Response.status(Status.OK).entity(reservationId).build(); @@ -1953,16 +1914,8 @@ public Response submitReservation(ReservationSubmissionRequestInfo resContext, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, " + "user not authenticated"); - } - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); final ReservationSubmissionRequest reservation = createReservationSubmissionRequest(resContext); @@ -2051,16 +2004,8 @@ public Response updateReservation(ReservationUpdateRequestInfo resContext, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, " + "user not authenticated"); - } - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); final ReservationUpdateRequest reservation = createReservationUpdateRequest(resContext); @@ -2150,16 +2095,8 @@ public Response deleteReservation(ReservationDeleteRequestInfo resContext, @Context HttpServletRequest hsr) throws AuthorizationException, IOException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, " + "user not authenticated"); - } - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - String msg = "The default static user cannot carry out this operation."; - return Response.status(Status.FORBIDDEN).entity(msg).build(); - } + initForWritableEndpoints(callerUGI, false); final ReservationDeleteRequest reservation = createReservationDeleteRequest(resContext); @@ -2207,7 +2144,7 @@ public Response listReservation( @QueryParam(RMWSConsts.END_TIME) @DefaultValue(DEFAULT_END_TIME) long endTime, @QueryParam(RMWSConsts.INCLUDE_RESOURCE) @DefaultValue(DEFAULT_INCLUDE_RESOURCE) boolean includeResourceAllocations, @Context HttpServletRequest hsr) throws Exception { - init(); + initForReadableEndpoints(); final ReservationListRequest request = ReservationListRequest.newInstance( queue, reservationId, startTime, endTime, includeResourceAllocations); @@ -2253,7 +2190,7 @@ public ReservationListResponse run() public AppTimeoutInfo getAppTimeout(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId, @PathParam(RMWSConsts.TYPE) String type) throws AuthorizationException { - init(); + initForReadableEndpoints(); RMApp app = validateAppTimeoutRequest(hsr, appId); ApplicationTimeoutType appTimeoutType = parseTimeoutType(type); @@ -2297,7 +2234,7 @@ private RMApp validateAppTimeoutRequest(HttpServletRequest hsr, @Override public AppTimeoutsInfo getAppTimeouts(@Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException { - init(); + initForReadableEndpoints(); RMApp app = validateAppTimeoutRequest(hsr, appId); @@ -2355,19 +2292,9 @@ public Response updateApplicationTimeout(AppTimeoutInfo appTimeout, @Context HttpServletRequest hsr, @PathParam(RMWSConsts.APPID) String appId) throws AuthorizationException, YarnException, InterruptedException, IOException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - if (callerUGI == null) { - throw new AuthorizationException( - "Unable to obtain user name, user not authenticated"); - } - - if (UserGroupInformation.isSecurityEnabled() && isStaticUser(callerUGI)) { - return Response.status(Status.FORBIDDEN) - .entity("The default static user cannot carry out this operation.") - .build(); - } + initForWritableEndpoints(callerUGI, false); String userName = callerUGI.getUserName(); RMApp app = null; @@ -2480,16 +2407,9 @@ protected ContainerReport getContainerReport( public synchronized Response updateSchedulerConfiguration(SchedConfUpdateInfo mutationInfo, @Context HttpServletRequest hsr) throws AuthorizationException, InterruptedException { - init(); UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); - ApplicationACLsManager aclsManager = rm.getApplicationACLsManager(); - if (aclsManager.areACLsEnabled()) { - if (callerUGI == null || !aclsManager.isAdmin(callerUGI)) { - String msg = "Only admins can carry out this operation."; - throw new ForbiddenException(msg); - } - } + initForWritableEndpoints(callerUGI, true); ResourceScheduler scheduler = rm.getResourceScheduler(); if (scheduler instanceof MutableConfScheduler && ((MutableConfScheduler) @@ -2541,7 +2461,7 @@ public RMQueueAclInfo checkUserAccessToQueue( @QueryParam(RMWSConsts.QUEUE_ACL_TYPE) @DefaultValue("SUBMIT_APPLICATIONS") String queueAclType, @Context HttpServletRequest hsr) throws AuthorizationException { - init(); + initForReadableEndpoints(); // For the user who invokes this REST call, he/she should have admin access // to the queue. Otherwise we will reject the call. diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java index 9c4acc2e94e..0702d652a02 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java @@ -684,7 +684,7 @@ public void testDumpingSchedulerLogs() throws Exception { ResourceManager mockRM = mock(ResourceManager.class); Configuration conf = new YarnConfiguration(); - HttpServletRequest mockHsr = mock(HttpServletRequest.class); + HttpServletRequest mockHsr = mockHttpServletRequestByUserName("non-admin"); ApplicationACLsManager aclsManager = new ApplicationACLsManager(conf); when(mockRM.getApplicationACLsManager()).thenReturn(aclsManager); RMWebServices webSvc = diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesHttpStaticUserPermissions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesHttpStaticUserPermissions.java index 60c6f5e950c..e1f7abfc4ab 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesHttpStaticUserPermissions.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesHttpStaticUserPermissions.java @@ -41,6 +41,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler; import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmissionContextInfo; +import org.apache.hadoop.yarn.webapp.ForbiddenException; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; @@ -175,19 +176,8 @@ public void testWebServiceAccess() throws Exception { try { conn.getInputStream(); fail("Request " + entry.getKey() + "succeeded but should have failed"); - } catch (IOException e) { + } catch (ForbiddenException e) { assertEquals(Status.FORBIDDEN.getStatusCode(), conn.getResponseCode()); - InputStream errorStream = conn.getErrorStream(); - String error = ""; - BufferedReader reader = - new BufferedReader(new InputStreamReader(errorStream, "UTF8")); - for (String line; (line = reader.readLine()) != null;) { - error += line; - } - reader.close(); - errorStream.close(); - assertEquals( - "The default static user cannot carry out this operation.", error); } conn.disconnect(); } -- 2.14.3 (Apple Git-98)