From 83f3855433ee6d692f3658af971f67cc0797e2e1 Mon Sep 17 00:00:00 2001 From: prabhujoseph Date: Tue, 29 Oct 2019 16:10:39 +0530 Subject: [PATCH] YARN-9920. Fix Null RemoteAddress in AccessRequest from FairScheduler. Signed-off-by: prabhujoseph --- .../yarn/server/resourcemanager/RMAppManager.java | 8 ++++-- .../yarn/server/resourcemanager/rmapp/RMApp.java | 8 +++++- .../server/resourcemanager/rmapp/RMAppImpl.java | 31 ++++++++++++++++---- .../server/resourcemanager/scheduler/Queue.java | 3 +- .../resourcemanager/scheduler/YarnScheduler.java | 5 +++- .../scheduler/capacity/AbstractCSQueue.java | 6 ++-- .../scheduler/capacity/CSQueue.java | 5 +++- .../scheduler/capacity/CapacityScheduler.java | 5 ++-- .../scheduler/capacity/LeafQueue.java | 3 +- .../scheduler/capacity/ParentQueue.java | 3 +- .../QueueAdminConfigurationMutationACLPolicy.java | 4 ++- .../scheduler/fair/FSLeafQueue.java | 3 +- .../scheduler/fair/FSParentQueue.java | 3 +- .../resourcemanager/scheduler/fair/FSQueue.java | 6 ++-- .../scheduler/fair/FairScheduler.java | 17 +++++++---- .../scheduler/fifo/FifoScheduler.java | 9 ++++-- .../resourcemanager/security/QueueACLsManager.java | 9 ++++-- .../resourcemanager/webapp/RMWebServices.java | 13 +++++++-- .../resourcemanager/TestMoveApplication.java | 4 ++- .../applicationsmanager/MockAsm.java | 5 ++++ .../server/resourcemanager/rmapp/MockRMApp.java | 6 ++++ .../TestConfigurationMutationACLPolicies.java | 9 +++--- .../scheduler/capacity/TestApplicationLimits.java | 2 +- .../scheduler/capacity/TestLeafQueue.java | 19 +++++++++---- .../scheduler/capacity/TestParentQueue.java | 33 +++++++++++++++------- .../resourcemanager/webapp/TestRMWebServices.java | 3 +- 26 files changed, 160 insertions(+), 62 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java index f4f9793..f5ac995 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java @@ -514,8 +514,10 @@ private RMAppImpl createAndPopulateNewRMApp( queue = ((FairScheduler) scheduler).getQueueManager(). getQueue(queueName); } - if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi) && - !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi)) { + if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi, + Server.getRemoteAddress(), null) && + !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi, + Server.getRemoteAddress(), null)) { throw RPCUtil.getRemoteException(new AccessControlException( "User " + user + " does not have permission to submit " + applicationId + " to queue " + @@ -534,7 +536,7 @@ private RMAppImpl createAndPopulateNewRMApp( submissionContext, this.scheduler, this.masterService, submitTime, submissionContext.getApplicationType(), submissionContext.getApplicationTags(), amReqs, placementContext, - startTime); + startTime, Server.getRemoteAddress()); // Concurrent app submissions with same applicationId will fail here // Concurrent app submissions with different applicationIds will not // influence each other diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java index 535888c..d557168 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java @@ -60,7 +60,13 @@ * @return the {@link ApplicationId} for this {@link RMApp}. */ ApplicationId getApplicationId(); - + + /** + * The caller's remote ip address. + * @return the caller's remote ip address. + */ + String getRemoteAddress(); + /** * The application submission context for this {@link RMApp} * @return the {@link ApplicationSubmissionContext} for this {@link RMApp} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java index c21d8d4..8346a8e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java @@ -37,6 +37,7 @@ import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.util.StringInterner; @@ -157,8 +158,7 @@ private Clock systemClock; private boolean isNumAttemptsBeyondThreshold = false; - - + private final String remoteAddress; // Mutable fields private long startTime; @@ -407,10 +407,23 @@ public RMAppImpl(ApplicationId applicationId, RMContext rmContext, ApplicationSubmissionContext submissionContext, YarnScheduler scheduler, ApplicationMasterService masterService, long submitTime, String applicationType, Set applicationTags, + List amReqs, ApplicationPlacementContext + placementContext, long startTime) { + this(applicationId, rmContext, config, name, user, queue, + submissionContext, scheduler, masterService, submitTime, + applicationType, applicationTags, amReqs, placementContext, + startTime, Server.getRemoteAddress()); + } + + public RMAppImpl(ApplicationId applicationId, RMContext rmContext, + Configuration config, String name, String user, String queue, + ApplicationSubmissionContext submissionContext, YarnScheduler scheduler, + ApplicationMasterService masterService, long submitTime, + String applicationType, Set applicationTags, List amReqs) { this(applicationId, rmContext, config, name, user, queue, submissionContext, - scheduler, masterService, submitTime, applicationType, applicationTags, - amReqs, null, -1); + scheduler, masterService, submitTime, applicationType, applicationTags, + amReqs, null, -1, Server.getRemoteAddress()); } public RMAppImpl(ApplicationId applicationId, RMContext rmContext, @@ -419,7 +432,7 @@ public RMAppImpl(ApplicationId applicationId, RMContext rmContext, ApplicationMasterService masterService, long submitTime, String applicationType, Set applicationTags, List amReqs, ApplicationPlacementContext - placementContext, long startTime) { + placementContext, long startTime, String remoteAddress) { this.systemClock = SystemClock.getInstance(); @@ -516,6 +529,7 @@ public RMAppImpl(ApplicationId applicationId, RMContext rmContext, DEFAULT_AM_SCHEDULING_NODE_BLACKLISTING_DISABLE_THRESHOLD; } } + this.remoteAddress = remoteAddress; } /** @@ -541,7 +555,12 @@ public void stopTimelineCollector() { public ApplicationId getApplicationId() { return this.applicationId; } - + + @Override + public String getRemoteAddress() { + return this.remoteAddress; + } + @Override public ApplicationSubmissionContext getApplicationSubmissionContext() { return this.submissionContext; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java index d166e5f..8c0120b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java @@ -61,7 +61,8 @@ */ List getQueueUserAclInfo(UserGroupInformation user); - boolean hasAccess(QueueACL acl, UserGroupInformation user); + boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress, List forwardedAddresses); public AbstractUsersManager getAbstractUsersManager(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java index d95fe7d..ed05a79 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java @@ -190,11 +190,14 @@ ApplicationResourceUsageReport getAppResourceUsageReport( * @param callerUGI * @param acl * @param queueName + * @param remoteAddress + * @param forwardedAddresses * @return true if the user has the permission, * false otherwise */ boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName); + QueueACL acl, String queueName, String remoteAddress, + List forwardedAddresses); /** * Gets the apps under a given queue diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java index 3ae22ad..3455d5d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java @@ -32,7 +32,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; -import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; @@ -268,10 +267,11 @@ public void setParent(CSQueue newParentQueue) { } @Override - public boolean hasAccess(QueueACL acl, UserGroupInformation user) { + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress, List forwardedAddresses) { return authorizer.checkPermission( new AccessRequest(queueEntity, user, SchedulerUtils.toAccessType(acl), - null, null, Server.getRemoteAddress(), null)); + null, null, remoteAddress, forwardedAddresses)); } /** diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java index d507e53..93ac53b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java @@ -156,10 +156,13 @@ * Check if the user has permission to perform the operation * @param acl ACL * @param user user + * @param remoteAddress caller's remote ip address. + * @param forwardedAddresses forwarded addresses in case of http request * @return true if the user has the permission, * false otherwise */ - public boolean hasAccess(QueueACL acl, UserGroupInformation user); + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress, List forwardedAddresses); /** * Submit a new application to the queue. diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java index 2121a1f..cafae3d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java @@ -2247,14 +2247,15 @@ private void markContainerForNonKillable( @Override public boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress, + List forwardedAddresses) { CSQueue queue = getQueue(queueName); if (queue == null) { LOG.debug("ACL not found for queue access-type {} for queue {}", acl, queueName); return false; } - return queue.hasAccess(acl, callerUGI); + return queue.hasAccess(acl, callerUGI, remoteAddress, forwardedAddresses); } @Override diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java index b883a9a..2f6c571 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java @@ -29,6 +29,7 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; @@ -481,7 +482,7 @@ public QueueInfo getQueueInfo( QueueUserACLInfo.class); List operations = new ArrayList<>(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, Server.getRemoteAddress(), null)) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java index 8d32447..362665b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java @@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Evolving; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; @@ -285,7 +286,7 @@ private QueueUserACLInfo getUserAclInfo( QueueUserACLInfo.class); List operations = new ArrayList(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, Server.getRemoteAddress(), null)) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java index ee53fd1..6c3f1a1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java @@ -19,6 +19,7 @@ package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.conf; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.QueueACL; import org.apache.hadoop.yarn.api.records.QueueInfo; @@ -101,7 +102,8 @@ public boolean isMutationAllowed(UserGroupInformation user, } Queue queue = ((MutableConfScheduler) rmContext.getScheduler()) .getQueue(queueInfo.getQueueName()); - if (queue != null && !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, user)) { + if (queue != null && !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + Server.getRemoteAddress(), null)) { return false; } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java index afea3d5..97af8ae 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java @@ -34,6 +34,7 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationId; @@ -398,7 +399,7 @@ public Resource assignContainer(FSSchedulerNode node) { recordFactory.newRecordInstance(QueueUserACLInfo.class); List operations = new ArrayList<>(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, Server.getRemoteAddress(), null)) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java index bb3dffc..b94031a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java @@ -31,6 +31,7 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.QueueACL; @@ -162,7 +163,7 @@ public void updateDemand() { private QueueUserACLInfo getUserAclInfo(UserGroupInformation user) { List operations = new ArrayList<>(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, Server.getRemoteAddress(), null)) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java index cca0875..4406ab7 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java @@ -27,7 +27,6 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; -import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.Priority; @@ -314,11 +313,12 @@ void setSteadyFairShare(Resource steadyFairShare) { metrics.setSteadyFairShare(steadyFairShare); } - public boolean hasAccess(QueueACL acl, UserGroupInformation user) { + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress, List forwardedAddresses) { return authorizer.checkPermission( new AccessRequest(queueEntity, user, SchedulerUtils.toAccessType(acl), null, null, - Server.getRemoteAddress(), null)); + remoteAddress, forwardedAddresses)); } long getFairSharePreemptionTimeout() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java index 04bbe0f..4678b80 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java @@ -27,6 +27,7 @@ import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.classification.InterfaceStability.Unstable; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; @@ -492,8 +493,14 @@ protected void addApplication(ApplicationId applicationId, UserGroupInformation userUgi = UserGroupInformation.createRemoteUser( user); - if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi) && - !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi)) { + RMApp rmApp = rmContext.getRMApps().get(applicationId); + String remoteAddress = (rmApp != null) ? + rmApp.getRemoteAddress() : Server.getRemoteAddress(); + + if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi, + remoteAddress, null) && + !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi, + remoteAddress, null)) { String msg = "User " + user + " does not have permission to submit " + applicationId + " to queue " + queueName; rejectApplicationWithMessage(applicationId, msg); @@ -501,7 +508,6 @@ protected void addApplication(ApplicationId applicationId, return; } - RMApp rmApp = rmContext.getRMApps().get(applicationId); if (rmApp != null) { rmApp.setQueue(queueName); } else { @@ -1585,7 +1591,8 @@ public int getNumClusterNodes() { @Override public boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress, + List forwardedAddresses) { readLock.lock(); try { FSQueue queue = getQueueManager().getQueue(queueName); @@ -1594,7 +1601,7 @@ public boolean checkAccess(UserGroupInformation callerUGI, acl, queueName); return false; } - return queue.hasAccess(acl, callerUGI); + return queue.hasAccess(acl, callerUGI, remoteAddress, forwardedAddresses); } finally { readLock.unlock(); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java index 9bd2a11..f112c49 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java @@ -175,7 +175,8 @@ public QueueInfo getQueueInfo( } @Override - public boolean hasAccess(QueueACL acl, UserGroupInformation user) { + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress, List forwardedAddresses) { return getQueueAcls().get(acl).isUserAllowed(user); } @@ -931,8 +932,10 @@ public QueueMetrics getRootQueueMetrics() { @Override public synchronized boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { - return DEFAULT_QUEUE.hasAccess(acl, callerUGI); + QueueACL acl, String queueName, String remoteAddress, + List forwardedAddresses) { + return DEFAULT_QUEUE.hasAccess(acl, callerUGI, remoteAddress, + forwardedAddresses); } @Override diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java index 1caa181..5ffbd32 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java @@ -82,7 +82,8 @@ public boolean checkAccess(UserGroupInformation callerUGI, QueueACL acl, app.getApplicationId().toString(), app.getName(), remoteAddress, forwardedAddresses)); } else { - return scheduler.checkAccess(callerUGI, acl, app.getQueue()); + return scheduler.checkAccess(callerUGI, acl, app.getQueue(), + remoteAddress, forwardedAddresses); } } @@ -137,10 +138,12 @@ public boolean checkAccess(UserGroupInformation callerUGI, QueueACL acl, + app.getApplicationId()); return false; } - return scheduler.checkAccess(callerUGI, acl, targetQueue); + return scheduler.checkAccess(callerUGI, acl, targetQueue, + remoteAddress, forwardedAddresses); } else { // Any other scheduler just try - return scheduler.checkAccess(callerUGI, acl, targetQueue); + return scheduler.checkAccess(callerUGI, acl, targetQueue, + remoteAddress, forwardedAddresses); } } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java index d263830..2acfc5d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java @@ -2736,8 +2736,16 @@ public RMQueueAclInfo checkUserAccessToQueue( // For the user who invokes this REST call, he/she should have admin access // to the queue. Otherwise we will reject the call. UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + + List forwardedAddresses = null; + String forwardedFor = hsr.getHeader(RMWSConsts.FORWARDED_FOR); + if (forwardedFor != null) { + forwardedAddresses = Arrays.asList(forwardedFor.split(",")); + } + if (callerUGI != null && !this.rm.getResourceScheduler().checkAccess( - callerUGI, QueueACL.ADMINISTER_QUEUE, queue)) { + callerUGI, QueueACL.ADMINISTER_QUEUE, queue, hsr.getRemoteAddr(), + forwardedAddresses)) { throw new ForbiddenException( "User=" + callerUGI.getUserName() + " doesn't haven access to queue=" + queue + " so it cannot check ACLs for other users."); @@ -2760,7 +2768,8 @@ public RMQueueAclInfo checkUserAccessToQueue( + "SUBMIT_APPLICATIONS/ADMINISTER_QUEUE}"); } - if (!this.rm.getResourceScheduler().checkAccess(user, queueACL, queue)) { + if (!this.rm.getResourceScheduler().checkAccess(user, queueACL, queue, + hsr.getRemoteAddr(), forwardedAddresses)) { return new RMQueueAclInfo(false, user.getUserName(), "User=" + username + " doesn't have access to queue=" + queue + " with acl-type=" + queueAclType); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java index 05b25df..79813ae 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java @@ -23,6 +23,7 @@ import java.security.AccessControlException; import java.security.PrivilegedExceptionAction; +import java.util.List; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; @@ -175,7 +176,8 @@ public String moveApplication(ApplicationId appId, String newQueue) @Override public synchronized boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress, + List forwardedAddresses) { return acl != QueueACL.ADMINISTER_QUEUE; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java index 5194674..4ee2cf1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java @@ -275,6 +275,11 @@ public CollectorInfo getCollectorInfo() { public Map getApplicationSchedulingEnvs() { throw new UnsupportedOperationException("Not supported yet."); } + + @Override + public String getRemoteAddress() { + throw new UnsupportedOperationException("Not supported yet."); + } } public static RMApp newApplication(int i) { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java index 32ece34..3e5fa29 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java @@ -25,6 +25,7 @@ import java.util.Set; import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.yarn.MockApps; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationId; @@ -376,4 +377,9 @@ public CollectorInfo getCollectorInfo() { public Map getApplicationSchedulingEnvs() { return null; } + + @Override + public String getRemoteAddress() { + return Server.getRemoteAddress(); + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java index 8741432..b34128b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java @@ -36,6 +36,7 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyBoolean; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.mock; @@ -71,10 +72,10 @@ private void mockQueue(String queueName, MutableConfScheduler scheduler) when(scheduler.getQueueInfo(eq(queueName), anyBoolean(), anyBoolean())) .thenReturn(queueInfo); Queue queue = mock(Queue.class); - when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(GOOD_USER))) - .thenReturn(true); - when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(BAD_USER))) - .thenReturn(false); + when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(GOOD_USER), + any(), any())).thenReturn(true); + when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(BAD_USER), + any(), any())).thenReturn(false); when(scheduler.getQueue(eq(queueName))).thenReturn(queue); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java index 172db0a..ade5d3f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java @@ -142,7 +142,7 @@ public void setUp() throws IOException { // Stub out ACL checks doReturn(true). when(queue).hasAccess(any(QueueACL.class), - any(UserGroupInformation.class)); + any(UserGroupInformation.class), any(), any()); // Some default values doReturn(100).when(queue).getMaxApplications(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java index 1c8d84c..5d6d519 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java @@ -53,6 +53,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationId; @@ -2851,12 +2852,18 @@ public void testInheritedQueueAcls() throws IOException { LeafQueue b = stubLeafQueue((LeafQueue)queues.get(B)); ParentQueue c = (ParentQueue)queues.get(C); LeafQueue c1 = stubLeafQueue((LeafQueue)queues.get(C1)); - - assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertTrue(a.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertTrue(b.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + String remoteAddess = Server.getRemoteAddress(); + + assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess, null)); + assertTrue(a.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess, null)); + assertTrue(b.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess, null)); + assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess, null)); + assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess, null)); assertTrue(hasQueueACL( a.getQueueUserAclInfo(user), QueueACL.SUBMIT_APPLICATIONS)); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java index 4ef9f7a..3082080 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java @@ -37,6 +37,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.QueueACL; import org.apache.hadoop.yarn.api.records.QueueUserACLInfo; @@ -920,35 +921,47 @@ public void testQueueAcl() throws Exception { ParentQueue c11 = (ParentQueue)queues.get(C11); ParentQueue c111 = (ParentQueue)queues.get(C111); - assertFalse(root.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + String remoteAddress = Server.getRemoteAddress(); + + assertFalse(root.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress, null)); List aclInfos = root.getQueueUserAclInfo(user); assertFalse(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "root")); - assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress, null)); assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "root")); // c has no SA, but QA - assertTrue(c.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress, null)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c")); - assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress, null)); assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c")); //Queue c1 has QA, no SA (gotten perm from parent) - assertTrue(c1.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c1.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress, null)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c1")); - assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress, null)); assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c1")); //Queue c11 has permissions from parent queue and SA - assertTrue(c11.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c11.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress, null)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c11")); - assertTrue(c11.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertTrue(c11.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress, null)); assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c11")); //Queue c111 has SA and AQ, both from parent - assertTrue(c111.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c111.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress, null)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c111")); - assertTrue(c111.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertTrue(c111.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress, null)); assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c111")); reset(c); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java index d9d1d9b..05717f8 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java @@ -811,7 +811,8 @@ public void testCheckUserAccessToQueue() throws Exception { ResourceScheduler mockScheduler = new FifoScheduler() { @Override public synchronized boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress, + List forwardedAddresses) { if (acl == QueueACL.ADMINISTER_QUEUE) { if (callerUGI.getUserName().equals("admin")) { return true; -- 2.7.4 (Apple Git-66)