diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java index b10b705bb61..3a4ea2e99e3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java @@ -3532,9 +3532,9 @@ static boolean validateAuthUserWithEntityUser( static boolean checkAccess(TimelineReaderManager readerManager, UserGroupInformation ugi, String entityUser) { if (isDisplayEntityPerUserFilterEnabled(readerManager.getConfig())) { - if (ugi != null && !validateAuthUserWithEntityUser(readerManager, ugi, + if (!validateAuthUserWithEntityUser(readerManager, ugi, entityUser)) { - String userName = ugi.getShortUserName(); + String userName = ugi == null ? null : ugi.getShortUserName(); String msg = "User " + userName + " is not allowed to read TimelineService V2 data."; throw new ForbiddenException(msg); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java index 6651457ff75..6ad44272a89 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesBasicAcl.java @@ -88,9 +88,14 @@ Assert.assertFalse(TimelineReaderWebServices .validateAuthUserWithEntityUser(manager, null, user1)); - // true because ugi is null - Assert.assertTrue( - TimelineReaderWebServices.checkAccess(manager, null, user1)); + // false because ugi is null in non-secure cluster. User must pass + // ?user.name as query params in REST end points. + try { + TimelineReaderWebServices.checkAccess(manager, null, user1); + Assert.fail("user1Ugi is not allowed to view user1"); + } catch (ForbiddenException e) { + // expected + } // incoming ugi is admin asking for entity owner user1 Assert.assertTrue(