diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java index 1caa181176e..be7c2666869 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java @@ -69,12 +69,14 @@ public boolean checkAccess(UserGroupInformation callerUGI, QueueACL acl, if (queue == null) { // The application exists but the associated queue does not exist. // This may be due to a queue that is not defined when the RM restarts. - // At this point we choose to log the fact and allow users to access - // and view the apps in a removed queue. This should only happen on - // application recovery. + // At this point we choose to log the fact and disallow users to access + // and view the apps via QueueACLs in a removed queue. + // Both owners of apps and yarn admin can access and + // view the apps via ApplicationACLs. This happen + // on application recovery or submitting job to unknown queue LOG.error("Queue " + app.getQueue() + " does not exist for " + app .getApplicationId()); - return true; + return false; } return authorizer.checkPermission( new AccessRequest(queue.getPrivilegedEntity(), callerUGI, diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java index d503cb44fb8..cbaf8189045 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java @@ -607,6 +607,7 @@ private void setupQueueConfigurationChildOfB(CapacitySchedulerConfiguration conf // 1. submit an app to default queue and let it finish // 2. restart rm with no default queue // 3. getApplicationReport call should succeed (with no NPE) + // 4. user2 cannot access the app1 of user1 because user2 does not have view-acl of app1 @Test (timeout = 30000) public void testRMRestartWithRemovedQueue() throws Exception{ conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); @@ -629,7 +630,7 @@ public void testRMRestartWithRemovedQueue() throws Exception{ rm2 = new MockRM(csConf, memStore); rm2.start(); - UserGroupInformation user2 = UserGroupInformation.createRemoteUser("user2"); + UserGroupInformation user2 = UserGroupInformation.createRemoteUser(USER_2); ApplicationReport report = user2.doAs(new PrivilegedExceptionAction() { @@ -639,6 +640,9 @@ public ApplicationReport run() throws Exception { } }); Assert.assertNotNull(report); + Assert.assertEquals("N/A", report.getDiagnostics()); + Assert.assertEquals("N/A", report.getTrackingUrl()); + Assert.assertEquals(null, report.getLogAggregationStatus()); } // Test CS recovery with multi-level queues and multi-users: