diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java index 1caa181176e..be7c2666869 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java @@ -69,12 +69,14 @@ public boolean checkAccess(UserGroupInformation callerUGI, QueueACL acl, if (queue == null) { // The application exists but the associated queue does not exist. // This may be due to a queue that is not defined when the RM restarts. - // At this point we choose to log the fact and allow users to access - // and view the apps in a removed queue. This should only happen on - // application recovery. + // At this point we choose to log the fact and disallow users to access + // and view the apps via QueueACLs in a removed queue. + // Both owners of apps and yarn admin can access and + // view the apps via ApplicationACLs. This happen + // on application recovery or submitting job to unknown queue LOG.error("Queue " + app.getQueue() + " does not exist for " + app .getApplicationId()); - return true; + return false; } return authorizer.checkPermission( new AccessRequest(queue.getPrivilegedEntity(), callerUGI, diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java index d503cb44fb8..a31b6b9bf45 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestWorkPreservingRMRestart.java @@ -560,6 +560,7 @@ private void checkFSQueue(ResourceManager rm, private static final String QUEUE_DOESNT_EXIST = "NoSuchQueue"; private static final String USER_1 = "user1"; private static final String USER_2 = "user2"; + private static final String YARN_ADMIN_USER = "yarn-admin"; private void setupQueueConfiguration(CapacitySchedulerConfiguration conf) { conf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] { R }); @@ -607,10 +608,12 @@ private void setupQueueConfigurationChildOfB(CapacitySchedulerConfiguration conf // 1. submit an app to default queue and let it finish // 2. restart rm with no default queue // 3. getApplicationReport call should succeed (with no NPE) + // 4. user2 cannot access the app1 of user1 + // because user2 does not have view-acl of app1 @Test (timeout = 30000) public void testRMRestartWithRemovedQueue() throws Exception{ conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); - conf.set(YarnConfiguration.YARN_ADMIN_ACL, ""); + conf.set(YarnConfiguration.YARN_ADMIN_ACL, YARN_ADMIN_USER); rm1 = new MockRM(conf); rm1.start(); MockMemoryRMStateStore memStore = @@ -629,16 +632,49 @@ public void testRMRestartWithRemovedQueue() throws Exception{ rm2 = new MockRM(csConf, memStore); rm2.start(); - UserGroupInformation user2 = UserGroupInformation.createRemoteUser("user2"); + UserGroupInformation yarnAdmin = + UserGroupInformation.createRemoteUser(YARN_ADMIN_USER); + UserGroupInformation user1 = UserGroupInformation.createRemoteUser(USER_1); + UserGroupInformation user2 = UserGroupInformation.createRemoteUser(USER_2); + + //Both owner of app and yarn admin can access app1 ApplicationReport report = - user2.doAs(new PrivilegedExceptionAction() { + user1.doAs(new PrivilegedExceptionAction() { @Override public ApplicationReport run() throws Exception { return rm2.getApplicationReport(app1.getApplicationId()); } }); Assert.assertNotNull(report); + Assert.assertNotEquals("N/A", report.getDiagnostics()); + Assert.assertNotEquals("N/A", report.getTrackingUrl()); + Assert.assertNotEquals(null, report.getLogAggregationStatus()); + + + report = yarnAdmin.doAs(new PrivilegedExceptionAction() { + @Override + public ApplicationReport run() throws Exception { + return rm2.getApplicationReport(app1.getApplicationId()); + } + }); + Assert.assertNotNull(report); + Assert.assertNotEquals("N/A", report.getDiagnostics()); + Assert.assertNotEquals("N/A", report.getTrackingUrl()); + Assert.assertNotEquals(null, report.getLogAggregationStatus()); + + //user2 cannot access app1 + report = user2.doAs(new PrivilegedExceptionAction() { + @Override + public ApplicationReport run() throws Exception { + return rm2.getApplicationReport(app1.getApplicationId()); + } + }); + + Assert.assertNotNull(report); + Assert.assertEquals("N/A", report.getDiagnostics()); + Assert.assertEquals("N/A", report.getTrackingUrl()); + Assert.assertEquals(null, report.getLogAggregationStatus()); } // Test CS recovery with multi-level queues and multi-users: