From 56abe32b7ef471f5f0060a7c52e1dd6963886fc2 Mon Sep 17 00:00:00 2001 From: prabhujoseph Date: Tue, 19 Nov 2019 13:50:12 +0530 Subject: [PATCH] YARN-9920. Fix Client Remote Address while checking queue access. --- .../server/resourcemanager/ClientRMService.java | 18 +++++++++--- .../yarn/server/resourcemanager/RMAppManager.java | 22 ++++++++------ .../resourcemanager/recovery/RMStateStore.java | 1 + .../recovery/records/ApplicationStateData.java | 29 ++++++++++++++++-- .../impl/pb/ApplicationStateDataPBImpl.java | 15 ++++++++++ .../yarn/server/resourcemanager/rmapp/RMApp.java | 8 ++++- .../server/resourcemanager/rmapp/RMAppImpl.java | 34 ++++++++++++++++++---- .../server/resourcemanager/scheduler/Queue.java | 3 +- .../resourcemanager/scheduler/YarnScheduler.java | 3 +- .../scheduler/capacity/AbstractCSQueue.java | 6 ++-- .../scheduler/capacity/CSQueue.java | 4 ++- .../scheduler/capacity/CapacityScheduler.java | 5 ++-- .../scheduler/capacity/LeafQueue.java | 3 +- .../scheduler/capacity/ParentQueue.java | 3 +- .../QueueAdminConfigurationMutationACLPolicy.java | 4 ++- .../scheduler/fair/FSLeafQueue.java | 3 +- .../scheduler/fair/FSParentQueue.java | 3 +- .../resourcemanager/scheduler/fair/FSQueue.java | 6 ++-- .../scheduler/fair/FairScheduler.java | 15 ++++++---- .../scheduler/fifo/FifoScheduler.java | 7 +++-- .../resourcemanager/security/QueueACLsManager.java | 9 ++++-- .../resourcemanager/webapp/RMWebAppFilter.java | 10 +++++++ .../resourcemanager/webapp/RMWebServices.java | 7 +++-- .../yarn_server_resourcemanager_recovery.proto | 1 + .../server/resourcemanager/AppManagerTestBase.java | 2 +- .../yarn/server/resourcemanager/RMHATestBase.java | 2 +- .../resourcemanager/TestMoveApplication.java | 2 +- .../applicationsmanager/MockAsm.java | 5 ++++ .../server/resourcemanager/rmapp/MockRMApp.java | 6 ++++ .../TestConfigurationMutationACLPolicies.java | 9 +++--- .../scheduler/capacity/TestApplicationLimits.java | 2 +- .../scheduler/capacity/TestLeafQueue.java | 19 ++++++++---- .../scheduler/capacity/TestParentQueue.java | 33 ++++++++++++++------- .../resourcemanager/webapp/TestRMWebServices.java | 2 +- 34 files changed, 224 insertions(+), 77 deletions(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java index f9681e0..8199646 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ClientRMService.java @@ -192,6 +192,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.security.RMDelegationTokenSecretManager; import org.apache.hadoop.yarn.server.resourcemanager.security.ReservationsACLsManager; import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider; +import org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter; import org.apache.hadoop.yarn.server.security.ApplicationACLsManager; import org.apache.hadoop.yarn.server.utils.BuilderUtils; import org.apache.hadoop.yarn.util.Clock; @@ -370,7 +371,7 @@ private boolean checkAccess(UserGroupInformation callerUGI, String owner, .checkAccess(callerUGI, operationPerformed, owner, application.getApplicationId()) || queueACLsManager .checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, application, - Server.getRemoteAddress(), null); + getRemoteAddress(), null); } ApplicationId getNewApplicationId() { @@ -689,7 +690,7 @@ public SubmitApplicationResponse submitApplication( try { // call RMAppManager to submit application directly rmAppManager.submitApplication(submissionContext, - System.currentTimeMillis(), user); + System.currentTimeMillis(), user, getRemoteAddress()); LOG.info("Application with id " + applicationId.getId() + " submitted by user " + user); @@ -1225,13 +1226,14 @@ public MoveApplicationAcrossQueuesResponse moveApplicationAcrossQueues( */ private boolean accessToTargetQueueAllowed(UserGroupInformation callerUGI, RMApp application, String targetQueue) { + String remoteAddress = getRemoteAddress(); return queueACLsManager.checkAccess(callerUGI, QueueACL.SUBMIT_APPLICATIONS, application, - Server.getRemoteAddress(), null, targetQueue) || + remoteAddress, null, targetQueue) || queueACLsManager.checkAccess(callerUGI, QueueACL.ADMINISTER_QUEUE, application, - Server.getRemoteAddress(), null, targetQueue); + remoteAddress, null, targetQueue); } private String getRenewerForToken(Token token) @@ -1910,4 +1912,12 @@ public GetNodesToAttributesResponse getNodesToAttributes( public void setDisplayPerUserApps(boolean displayPerUserApps) { this.filterAppsByUser = displayPerUserApps; } + + // Returns Client Address (Http or IPC) + public static String getRemoteAddress() { + String remoteAddress = RMWebAppFilter.getRemoteAddress(); + remoteAddress = (remoteAddress != null) ? remoteAddress : + Server.getRemoteAddress(); + return remoteAddress; + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java index f4f9793..6ca8e19 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java @@ -381,13 +381,13 @@ private boolean shouldDeleteApp(RMApp app) { @SuppressWarnings("unchecked") protected void submitApplication( ApplicationSubmissionContext submissionContext, long submitTime, - String user) throws YarnException { + String user, String remoteAddress) throws YarnException { ApplicationId applicationId = submissionContext.getApplicationId(); // Passing start time as -1. It will be eventually set in RMAppImpl // constructor. RMAppImpl application = createAndPopulateNewRMApp( - submissionContext, submitTime, user, false, -1, null); + submissionContext, submitTime, user, false, -1, null, remoteAddress); try { if (UserGroupInformation.isSecurityEnabled()) { this.rmContext.getDelegationTokenRenewer() @@ -425,7 +425,7 @@ protected void recoverApplication(ApplicationStateData appState, RMAppImpl application = createAndPopulateNewRMApp(appContext, appState.getSubmitTime(), appState.getUser(), true, appState.getStartTime(), - appState.getState()); + appState.getState(), appState.getRemoteAddress()); application.handle(new RMAppRecoverEvent(appId, rmState)); } @@ -433,7 +433,7 @@ protected void recoverApplication(ApplicationStateData appState, private RMAppImpl createAndPopulateNewRMApp( ApplicationSubmissionContext submissionContext, long submitTime, String user, boolean isRecovery, long startTime, - RMAppState recoveredFinalState) throws YarnException { + RMAppState recoveredFinalState, String remoteAddress) throws YarnException { ApplicationPlacementContext placementContext = null; if (recoveredFinalState == null) { @@ -486,12 +486,12 @@ private RMAppImpl createAndPopulateNewRMApp( && !authorizer.checkPermission( new AccessRequest(csqueue.getPrivilegedEntity(), userUgi, SchedulerUtils.toAccessType(QueueACL.SUBMIT_APPLICATIONS), - applicationId.toString(), appName, Server.getRemoteAddress(), + applicationId.toString(), appName, remoteAddress, null)) && !authorizer.checkPermission( new AccessRequest(csqueue.getPrivilegedEntity(), userUgi, SchedulerUtils.toAccessType(QueueACL.ADMINISTER_QUEUE), - applicationId.toString(), appName, Server.getRemoteAddress(), + applicationId.toString(), appName, remoteAddress, null))) { throw RPCUtil.getRemoteException(new AccessControlException( "User " + user + " does not have permission to submit " @@ -514,8 +514,10 @@ private RMAppImpl createAndPopulateNewRMApp( queue = ((FairScheduler) scheduler).getQueueManager(). getQueue(queueName); } - if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi) && - !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi)) { + if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi, + remoteAddress) && + !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi, + remoteAddress)) { throw RPCUtil.getRemoteException(new AccessControlException( "User " + user + " does not have permission to submit " + applicationId + " to queue " + @@ -534,7 +536,7 @@ private RMAppImpl createAndPopulateNewRMApp( submissionContext, this.scheduler, this.masterService, submitTime, submissionContext.getApplicationType(), submissionContext.getApplicationTags(), amReqs, placementContext, - startTime); + startTime, remoteAddress); // Concurrent app submissions with same applicationId will fail here // Concurrent app submissions with different applicationIds will not // influence each other @@ -741,6 +743,7 @@ public void handle(RMAppManagerEvent event) { app.getUser(), app.getCallerContext()); appState.setApplicationTimeouts(currentExpireTimeouts); appState.setLaunchTime(app.getLaunchTime()); + appState.setRemoteAddress(app.getRemoteAddress()); // update to state store. Though it synchronous call, update via future to // know any exception has been set. It is required because in non-HA mode, @@ -867,6 +870,7 @@ private void updateAppDataToStateStore(String queue, RMApp app, app.getCallerContext()); appState.setApplicationTimeouts(app.getApplicationTimeouts()); appState.setLaunchTime(app.getLaunchTime()); + appState.setRemoteAddress(app.getRemoteAddress()); rmContext.getStateStore().updateApplicationStateSynchronously(appState, false, future); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java index e88d2b4..4bbfd27 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/RMStateStore.java @@ -939,6 +939,7 @@ public void storeNewApplication(RMApp app) { ApplicationStateData.newInstance(app.getSubmitTime(), app.getStartTime(), context, app.getUser(), app.getCallerContext()); appState.setApplicationTimeouts(app.getApplicationTimeouts()); + appState.setRemoteAddress(app.getRemoteAddress()); getRMStateStoreEventHandler().handle(new RMStateStoreAppEvent(appState)); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java index 2b0bd2b..bfb3194 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/ApplicationStateData.java @@ -67,7 +67,8 @@ public static ApplicationStateData newInstance(long submitTime, ApplicationSubmissionContext submissionContext, RMAppState state, String diagnostics, long launchTime, long finishTime, CallerContext callerContext, - Map applicationTimeouts) { + Map applicationTimeouts, + String remoteAddress) { ApplicationStateData appState = Records.newRecord(ApplicationStateData.class); appState.setSubmitTime(submitTime); @@ -80,10 +81,23 @@ public static ApplicationStateData newInstance(long submitTime, appState.setFinishTime(finishTime); appState.setCallerContext(callerContext); appState.setApplicationTimeouts(applicationTimeouts); + appState.setRemoteAddress(remoteAddress); return appState; } public static ApplicationStateData newInstance(long submitTime, + long startTime, String user, + ApplicationSubmissionContext submissionContext, RMAppState state, + String diagnostics, long launchTime, long finishTime, + CallerContext callerContext, + Map applicationTimeouts) { + return newInstance(submitTime, startTime, user, submissionContext, state, + diagnostics, launchTime, finishTime, callerContext, applicationTimeouts, + null); + } + + + public static ApplicationStateData newInstance(long submitTime, long startTime, ApplicationSubmissionContext context, String user, CallerContext callerContext) { return newInstance(submitTime, startTime, user, context, null, "", 0, 0, @@ -164,7 +178,18 @@ public int getFirstAttemptId() { @Public @Unstable public abstract String getUser(); - + + /** + * The application submitter address + */ + @Public + @Unstable + public abstract void setRemoteAddress(String remoteAddress); + + @Public + @Unstable + public abstract String getRemoteAddress(); + /** * The {@link ApplicationSubmissionContext} for the application * {@link ApplicationId} can be obtained from the this diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java index f5cd107..b760e7e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/recovery/records/impl/pb/ApplicationStateDataPBImpl.java @@ -148,6 +148,21 @@ public void setUser(String user) { maybeInitBuilder(); builder.setUser(user); } + + @Override + public String getRemoteAddress() { + ApplicationStateDataProtoOrBuilder p = viaProto ? proto : builder; + if (!p.hasRemoteAddress()) { + return null; + } + return p.getRemoteAddress(); + } + + @Override + public void setRemoteAddress(String remoteAddress) { + maybeInitBuilder(); + builder.setRemoteAddress(remoteAddress); + } @Override public ApplicationSubmissionContext getApplicationSubmissionContext() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java index 535888c..d557168 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMApp.java @@ -60,7 +60,13 @@ * @return the {@link ApplicationId} for this {@link RMApp}. */ ApplicationId getApplicationId(); - + + /** + * The caller's remote ip address. + * @return the caller's remote ip address. + */ + String getRemoteAddress(); + /** * The application submission context for this {@link RMApp} * @return the {@link ApplicationSubmissionContext} for this {@link RMApp} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java index c21d8d4..75b65f2 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/RMAppImpl.java @@ -70,6 +70,7 @@ import org.apache.hadoop.yarn.server.api.protocolrecords.LogAggregationReport; import org.apache.hadoop.yarn.server.api.records.AppCollectorData; import org.apache.hadoop.yarn.server.resourcemanager.ApplicationMasterService; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.RMAppManagerEvent; import org.apache.hadoop.yarn.server.resourcemanager.RMAppManagerEventType; import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger; @@ -157,8 +158,7 @@ private Clock systemClock; private boolean isNumAttemptsBeyondThreshold = false; - - + private String remoteAddress; // Mutable fields private long startTime; @@ -407,10 +407,23 @@ public RMAppImpl(ApplicationId applicationId, RMContext rmContext, ApplicationSubmissionContext submissionContext, YarnScheduler scheduler, ApplicationMasterService masterService, long submitTime, String applicationType, Set applicationTags, + List amReqs, ApplicationPlacementContext + placementContext, long startTime) { + this(applicationId, rmContext, config, name, user, queue, + submissionContext, scheduler, masterService, submitTime, + applicationType, applicationTags, amReqs, placementContext, + startTime, ClientRMService.getRemoteAddress()); + } + + public RMAppImpl(ApplicationId applicationId, RMContext rmContext, + Configuration config, String name, String user, String queue, + ApplicationSubmissionContext submissionContext, YarnScheduler scheduler, + ApplicationMasterService masterService, long submitTime, + String applicationType, Set applicationTags, List amReqs) { this(applicationId, rmContext, config, name, user, queue, submissionContext, - scheduler, masterService, submitTime, applicationType, applicationTags, - amReqs, null, -1); + scheduler, masterService, submitTime, applicationType, applicationTags, + amReqs, null, -1, ClientRMService.getRemoteAddress()); } public RMAppImpl(ApplicationId applicationId, RMContext rmContext, @@ -419,7 +432,7 @@ public RMAppImpl(ApplicationId applicationId, RMContext rmContext, ApplicationMasterService masterService, long submitTime, String applicationType, Set applicationTags, List amReqs, ApplicationPlacementContext - placementContext, long startTime) { + placementContext, long startTime, String remoteAddress) { this.systemClock = SystemClock.getInstance(); @@ -516,6 +529,7 @@ public RMAppImpl(ApplicationId applicationId, RMContext rmContext, DEFAULT_AM_SCHEDULING_NODE_BLACKLISTING_DISABLE_THRESHOLD; } } + this.remoteAddress = remoteAddress; } /** @@ -541,7 +555,12 @@ public void stopTimelineCollector() { public ApplicationId getApplicationId() { return this.applicationId; } - + + @Override + public String getRemoteAddress() { + return this.remoteAddress; + } + @Override public ApplicationSubmissionContext getApplicationSubmissionContext() { return this.submissionContext; @@ -922,6 +941,7 @@ public void recover(RMState state) { this.launchTime = appState.getLaunchTime(); this.callerContext = appState.getCallerContext(); this.applicationTimeouts = appState.getApplicationTimeouts(); + this.remoteAddress = appState.getRemoteAddress(); // If interval > 0, some attempts might have been deleted. if (this.attemptFailuresValidityInterval > 0) { this.firstAttemptIdInStateStore = appState.getFirstAttemptId(); @@ -1037,6 +1057,7 @@ public void transition(RMAppImpl app, RMAppEvent event) { app.callerContext); appState.setApplicationTimeouts(app.getApplicationTimeouts()); appState.setLaunchTime(event.getTimestamp()); + appState.setRemoteAddress(app.getRemoteAddress()); app.rmContext.getStateStore().updateApplicationState(appState, false); app.launchTime = event.getTimestamp(); app.rmContext.getSystemMetricsPublisher().appLaunched( @@ -1303,6 +1324,7 @@ private void rememberTargetTransitionsAndStoreState(RMAppEvent event, stateToBeStored, diags, this.launchTime, this.storedFinishTime, this.callerContext); appState.setApplicationTimeouts(this.applicationTimeouts); + appState.setRemoteAddress(this.remoteAddress); this.rmContext.getStateStore().updateApplicationState(appState); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java index d166e5f..b581760 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/Queue.java @@ -61,7 +61,8 @@ */ List getQueueUserAclInfo(UserGroupInformation user); - boolean hasAccess(QueueACL acl, UserGroupInformation user); + boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress); public AbstractUsersManager getAbstractUsersManager(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java index d95fe7d..886a858 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/YarnScheduler.java @@ -190,11 +190,12 @@ ApplicationResourceUsageReport getAppResourceUsageReport( * @param callerUGI * @param acl * @param queueName + * @param remoteAddress * @return true if the user has the permission, * false otherwise */ boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName); + QueueACL acl, String queueName, String remoteAddress); /** * Gets the apps under a given queue diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java index 3ae22ad..6dc705e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/AbstractCSQueue.java @@ -32,7 +32,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; -import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; @@ -268,10 +267,11 @@ public void setParent(CSQueue newParentQueue) { } @Override - public boolean hasAccess(QueueACL acl, UserGroupInformation user) { + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress) { return authorizer.checkPermission( new AccessRequest(queueEntity, user, SchedulerUtils.toAccessType(acl), - null, null, Server.getRemoteAddress(), null)); + null, null, remoteAddress, null)); } /** diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java index d507e53..82ddcae 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CSQueue.java @@ -156,10 +156,12 @@ * Check if the user has permission to perform the operation * @param acl ACL * @param user user + * @param remoteAddress caller's remote ip address. * @return true if the user has the permission, * false otherwise */ - public boolean hasAccess(QueueACL acl, UserGroupInformation user); + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress); /** * Submit a new application to the queue. diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java index 2121a1f..c297784 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacityScheduler.java @@ -2247,14 +2247,14 @@ private void markContainerForNonKillable( @Override public boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress) { CSQueue queue = getQueue(queueName); if (queue == null) { LOG.debug("ACL not found for queue access-type {} for queue {}", acl, queueName); return false; } - return queue.hasAccess(acl, callerUGI); + return queue.hasAccess(acl, callerUGI, remoteAddress); } @Override @@ -2705,6 +2705,7 @@ public Priority updateApplicationPriority(Priority newPriority, rmApp.getCallerContext()); appState.setApplicationTimeouts(rmApp.getApplicationTimeouts()); appState.setLaunchTime(rmApp.getLaunchTime()); + appState.setRemoteAddress(rmApp.getRemoteAddress()); rmContext.getStateStore().updateApplicationStateSynchronously(appState, false, future); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java index b883a9a..1a91065 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/LeafQueue.java @@ -50,6 +50,7 @@ import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; import org.apache.hadoop.yarn.nodelabels.CommonNodeLabelsManager; import org.apache.hadoop.yarn.security.AccessType; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.nodelabels.RMNodeLabelsManager; import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer; import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType; @@ -481,7 +482,7 @@ public QueueInfo getQueueInfo( QueueUserACLInfo.class); List operations = new ArrayList<>(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, ClientRMService.getRemoteAddress())) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java index 8d32447..cb433e6 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/ParentQueue.java @@ -48,6 +48,7 @@ import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; import org.apache.hadoop.yarn.security.AccessType; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.nodelabels.RMNodeLabelsManager; import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer; import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainerEventType; @@ -285,7 +286,7 @@ private QueueUserACLInfo getUserAclInfo( QueueUserACLInfo.class); List operations = new ArrayList(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, ClientRMService.getRemoteAddress())) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java index ee53fd1..335fa31 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/conf/QueueAdminConfigurationMutationACLPolicy.java @@ -23,6 +23,7 @@ import org.apache.hadoop.yarn.api.records.QueueACL; import org.apache.hadoop.yarn.api.records.QueueInfo; import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.RMContext; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ConfigurationMutationACLPolicy; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.MutableConfScheduler; @@ -101,7 +102,8 @@ public boolean isMutationAllowed(UserGroupInformation user, } Queue queue = ((MutableConfScheduler) rmContext.getScheduler()) .getQueue(queueInfo.getQueueName()); - if (queue != null && !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, user)) { + if (queue != null && !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + ClientRMService.getRemoteAddress())) { return false; } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java index afea3d5..5f81153 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSLeafQueue.java @@ -40,6 +40,7 @@ import org.apache.hadoop.yarn.api.records.QueueACL; import org.apache.hadoop.yarn.api.records.QueueUserACLInfo; import org.apache.hadoop.yarn.api.records.Resource; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ActiveUsersManager; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.SchedulerAppUtils; @@ -398,7 +399,7 @@ public Resource assignContainer(FSSchedulerNode node) { recordFactory.newRecordInstance(QueueUserACLInfo.class); List operations = new ArrayList<>(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, ClientRMService.getRemoteAddress())) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java index bb3dffc..c525d46 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSParentQueue.java @@ -36,6 +36,7 @@ import org.apache.hadoop.yarn.api.records.QueueACL; import org.apache.hadoop.yarn.api.records.QueueUserACLInfo; import org.apache.hadoop.yarn.api.records.Resource; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.RMContainer; import org.apache.hadoop.yarn.util.resource.Resources; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ActiveUsersManager; @@ -162,7 +163,7 @@ public void updateDemand() { private QueueUserACLInfo getUserAclInfo(UserGroupInformation user) { List operations = new ArrayList<>(); for (QueueACL operation : QueueACL.values()) { - if (hasAccess(operation, user)) { + if (hasAccess(operation, user, ClientRMService.getRemoteAddress())) { operations.add(operation); } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java index cca0875..0e38eac 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FSQueue.java @@ -27,7 +27,6 @@ import org.slf4j.LoggerFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.classification.InterfaceStability.Unstable; -import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.Priority; @@ -314,11 +313,12 @@ void setSteadyFairShare(Resource steadyFairShare) { metrics.setSteadyFairShare(steadyFairShare); } - public boolean hasAccess(QueueACL acl, UserGroupInformation user) { + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress) { return authorizer.checkPermission( new AccessRequest(queueEntity, user, SchedulerUtils.toAccessType(acl), null, null, - Server.getRemoteAddress(), null)); + remoteAddress, null)); } long getFairSharePreemptionTimeout() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java index 04bbe0f..ea57620 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/FairScheduler.java @@ -57,6 +57,7 @@ import org.apache.hadoop.yarn.security.PrivilegedEntity.EntityType; import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; import org.apache.hadoop.yarn.server.api.protocolrecords.NMContainerStatus; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.RMContext; import org.apache.hadoop.yarn.server.resourcemanager.RMCriticalThreadUncaughtExceptionHandler; import org.apache.hadoop.yarn.server.resourcemanager.placement.ApplicationPlacementContext; @@ -492,8 +493,13 @@ protected void addApplication(ApplicationId applicationId, UserGroupInformation userUgi = UserGroupInformation.createRemoteUser( user); - if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi) && - !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi)) { + RMApp rmApp = rmContext.getRMApps().get(applicationId); + String remoteAddress = (rmApp != null) ? + rmApp.getRemoteAddress() : ClientRMService.getRemoteAddress(); + + if (!queue.hasAccess(QueueACL.SUBMIT_APPLICATIONS, userUgi, + remoteAddress) && + !queue.hasAccess(QueueACL.ADMINISTER_QUEUE, userUgi, remoteAddress)) { String msg = "User " + user + " does not have permission to submit " + applicationId + " to queue " + queueName; rejectApplicationWithMessage(applicationId, msg); @@ -501,7 +507,6 @@ protected void addApplication(ApplicationId applicationId, return; } - RMApp rmApp = rmContext.getRMApps().get(applicationId); if (rmApp != null) { rmApp.setQueue(queueName); } else { @@ -1585,7 +1590,7 @@ public int getNumClusterNodes() { @Override public boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress) { readLock.lock(); try { FSQueue queue = getQueueManager().getQueue(queueName); @@ -1594,7 +1599,7 @@ public boolean checkAccess(UserGroupInformation callerUGI, acl, queueName); return false; } - return queue.hasAccess(acl, callerUGI); + return queue.hasAccess(acl, callerUGI, remoteAddress); } finally { readLock.unlock(); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java index 9bd2a11..fe046e1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fifo/FifoScheduler.java @@ -175,7 +175,8 @@ public QueueInfo getQueueInfo( } @Override - public boolean hasAccess(QueueACL acl, UserGroupInformation user) { + public boolean hasAccess(QueueACL acl, UserGroupInformation user, + String remoteAddress) { return getQueueAcls().get(acl).isUserAllowed(user); } @@ -931,8 +932,8 @@ public QueueMetrics getRootQueueMetrics() { @Override public synchronized boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { - return DEFAULT_QUEUE.hasAccess(acl, callerUGI); + QueueACL acl, String queueName, String remoteAddress) { + return DEFAULT_QUEUE.hasAccess(acl, callerUGI, remoteAddress); } @Override diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java index 1caa181..5a92b3e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/security/QueueACLsManager.java @@ -82,7 +82,8 @@ public boolean checkAccess(UserGroupInformation callerUGI, QueueACL acl, app.getApplicationId().toString(), app.getName(), remoteAddress, forwardedAddresses)); } else { - return scheduler.checkAccess(callerUGI, acl, app.getQueue()); + return scheduler.checkAccess(callerUGI, acl, app.getQueue(), + remoteAddress); } } @@ -137,10 +138,12 @@ public boolean checkAccess(UserGroupInformation callerUGI, QueueACL acl, + app.getApplicationId()); return false; } - return scheduler.checkAccess(callerUGI, acl, targetQueue); + return scheduler.checkAccess(callerUGI, acl, targetQueue, + remoteAddress); } else { // Any other scheduler just try - return scheduler.checkAccess(callerUGI, acl, targetQueue); + return scheduler.checkAccess(callerUGI, acl, targetQueue, + remoteAddress); } } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebAppFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebAppFilter.java index d197be4..3e9b236 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebAppFilter.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebAppFilter.java @@ -78,6 +78,9 @@ private static final int MAX_SLEEP_TIME = 5 * 60; private static final Random randnum = new Random(); + private static final ThreadLocal clientAddress = + new ThreadLocal(); + @Inject public RMWebAppFilter(Injector injector, Configuration conf) { super(injector); @@ -119,6 +122,8 @@ public void doFilter(HttpServletRequest request, String htmlEscapedUriWithQueryString = WebAppUtils.getHtmlEscapedURIWithQueryString(request); + clientAddress.set(request.getRemoteAddr()); + RMWebApp rmWebApp = injector.getInstance(RMWebApp.class); rmWebApp.checkIfStandbyRM(); if (rmWebApp.isStandby() @@ -275,4 +280,9 @@ private static int calculateExponentialTime(int retries) { long baseTime = BASIC_SLEEP_TIME * (1L << retries); return (int) (baseTime * (randnum.nextDouble() + 0.5)); } + + // Returns remote address as a string. + public static String getRemoteAddress() { + return clientAddress.get(); + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java index d263830..becd05a5 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java @@ -2736,8 +2736,9 @@ public RMQueueAclInfo checkUserAccessToQueue( // For the user who invokes this REST call, he/she should have admin access // to the queue. Otherwise we will reject the call. UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); + if (callerUGI != null && !this.rm.getResourceScheduler().checkAccess( - callerUGI, QueueACL.ADMINISTER_QUEUE, queue)) { + callerUGI, QueueACL.ADMINISTER_QUEUE, queue, hsr.getRemoteAddr())) { throw new ForbiddenException( "User=" + callerUGI.getUserName() + " doesn't haven access to queue=" + queue + " so it cannot check ACLs for other users."); @@ -2759,8 +2760,8 @@ public RMQueueAclInfo checkUserAccessToQueue( + " is not a valid type, valid queue acl types={" + "SUBMIT_APPLICATIONS/ADMINISTER_QUEUE}"); } - - if (!this.rm.getResourceScheduler().checkAccess(user, queueACL, queue)) { + if (!this.rm.getResourceScheduler().checkAccess(user, queueACL, queue, + hsr.getRemoteAddr())) { return new RMQueueAclInfo(false, user.getUserName(), "User=" + username + " doesn't have access to queue=" + queue + " with acl-type=" + queueAclType); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto index 8ac6615..0b34a3e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/proto/yarn_server_resourcemanager_recovery.proto @@ -72,6 +72,7 @@ message ApplicationStateDataProto { optional hadoop.common.RPCCallerContextProto caller_context = 8; repeated ApplicationTimeoutMapProto application_timeouts = 9; optional int64 launch_time = 10; + optional string remote_address = 11; } message ApplicationAttemptStateDataProto { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/AppManagerTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/AppManagerTestBase.java index 36258b4..19af44d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/AppManagerTestBase.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/AppManagerTestBase.java @@ -101,7 +101,7 @@ public void submitApplication( ApplicationSubmissionContext submissionContext, String user) throws YarnException { super.submitApplication(submissionContext, System.currentTimeMillis(), - user); + user, null); } } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/RMHATestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/RMHATestBase.java index 439a449..af74d29 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/RMHATestBase.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/RMHATestBase.java @@ -169,7 +169,7 @@ public MyRMAppManager(RMContext context, YarnScheduler scheduler, @Override protected void submitApplication( ApplicationSubmissionContext submissionContext, long submitTime, - String user) throws YarnException { + String user, String remoteAddress) throws YarnException { //Do nothing, just add the application to RMContext RMAppImpl application = new RMAppImpl(submissionContext.getApplicationId(), this.rmContext, diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java index 05b25df..932aed4 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestMoveApplication.java @@ -175,7 +175,7 @@ public String moveApplication(ApplicationId appId, String newQueue) @Override public synchronized boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress) { return acl != QueueACL.ADMINISTER_QUEUE; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java index 5194674..4ee2cf1 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/applicationsmanager/MockAsm.java @@ -275,6 +275,11 @@ public CollectorInfo getCollectorInfo() { public Map getApplicationSchedulingEnvs() { throw new UnsupportedOperationException("Not supported yet."); } + + @Override + public String getRemoteAddress() { + throw new UnsupportedOperationException("Not supported yet."); + } } public static RMApp newApplication(int i) { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java index 32ece34..5484b0b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/MockRMApp.java @@ -45,6 +45,7 @@ import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.api.protocolrecords.LogAggregationReport; import org.apache.hadoop.yarn.server.api.records.AppCollectorData; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.placement .ApplicationPlacementContext; import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt; @@ -376,4 +377,9 @@ public CollectorInfo getCollectorInfo() { public Map getApplicationSchedulingEnvs() { return null; } + + @Override + public String getRemoteAddress() { + return ClientRMService.getRemoteAddress(); + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java index 8741432..081400d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/TestConfigurationMutationACLPolicies.java @@ -36,6 +36,7 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyBoolean; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.mock; @@ -71,10 +72,10 @@ private void mockQueue(String queueName, MutableConfScheduler scheduler) when(scheduler.getQueueInfo(eq(queueName), anyBoolean(), anyBoolean())) .thenReturn(queueInfo); Queue queue = mock(Queue.class); - when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(GOOD_USER))) - .thenReturn(true); - when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(BAD_USER))) - .thenReturn(false); + when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(GOOD_USER), + any())).thenReturn(true); + when(queue.hasAccess(eq(QueueACL.ADMINISTER_QUEUE), eq(BAD_USER), + any())).thenReturn(false); when(scheduler.getQueue(eq(queueName))).thenReturn(queue); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java index 172db0a..148eea3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestApplicationLimits.java @@ -142,7 +142,7 @@ public void setUp() throws IOException { // Stub out ACL checks doReturn(true). when(queue).hasAccess(any(QueueACL.class), - any(UserGroupInformation.class)); + any(UserGroupInformation.class), any()); // Some default values doReturn(100).when(queue).getMaxApplications(); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java index 1c8d84c..4fb6414 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestLeafQueue.java @@ -70,6 +70,7 @@ import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.factories.RecordFactory; import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.MockRM; import org.apache.hadoop.yarn.server.resourcemanager.RMContext; import org.apache.hadoop.yarn.server.resourcemanager.nodelabels.RMNodeLabelsManager; @@ -2851,12 +2852,18 @@ public void testInheritedQueueAcls() throws IOException { LeafQueue b = stubLeafQueue((LeafQueue)queues.get(B)); ParentQueue c = (ParentQueue)queues.get(C); LeafQueue c1 = stubLeafQueue((LeafQueue)queues.get(C1)); - - assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertTrue(a.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertTrue(b.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); - assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + String remoteAddess = ClientRMService.getRemoteAddress(); + + assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess)); + assertTrue(a.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess)); + assertTrue(b.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess)); + assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess)); + assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddess)); assertTrue(hasQueueACL( a.getQueueUserAclInfo(user), QueueACL.SUBMIT_APPLICATIONS)); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java index 4ef9f7a..a39951f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestParentQueue.java @@ -43,6 +43,7 @@ import org.apache.hadoop.yarn.api.records.Resource; import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.security.YarnAuthorizationProvider; +import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService; import org.apache.hadoop.yarn.server.resourcemanager.RMContext; import org.apache.hadoop.yarn.server.resourcemanager.nodelabels.RMNodeLabelsManager; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.NodeType; @@ -920,35 +921,47 @@ public void testQueueAcl() throws Exception { ParentQueue c11 = (ParentQueue)queues.get(C11); ParentQueue c111 = (ParentQueue)queues.get(C111); - assertFalse(root.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + String remoteAddress = ClientRMService.getRemoteAddress(); + + assertFalse(root.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress)); List aclInfos = root.getQueueUserAclInfo(user); assertFalse(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "root")); - assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress)); assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "root")); // c has no SA, but QA - assertTrue(c.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c")); - assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress)); assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c")); //Queue c1 has QA, no SA (gotten perm from parent) - assertTrue(c1.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c1.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c1")); - assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress)); assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c1")); //Queue c11 has permissions from parent queue and SA - assertTrue(c11.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c11.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c11")); - assertTrue(c11.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertTrue(c11.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress)); assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c11")); //Queue c111 has SA and AQ, both from parent - assertTrue(c111.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); + assertTrue(c111.hasAccess(QueueACL.ADMINISTER_QUEUE, user, + remoteAddress)); assertTrue(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "c111")); - assertTrue(c111.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); + assertTrue(c111.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user, + remoteAddress)); assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c111")); reset(c); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java index d9d1d9b..6ec54e9 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java @@ -811,7 +811,7 @@ public void testCheckUserAccessToQueue() throws Exception { ResourceScheduler mockScheduler = new FifoScheduler() { @Override public synchronized boolean checkAccess(UserGroupInformation callerUGI, - QueueACL acl, String queueName) { + QueueACL acl, String queueName, String remoteAddress) { if (acl == QueueACL.ADMINISTER_QUEUE) { if (callerUGI.getUserName().equals("admin")) { return true; -- 2.7.4 (Apple Git-66)