You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:11:45 UTC
svn commit: r1077406 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
mapred/org/apache/hadoop/mapred/TaskLogServlet.java
test/org/apache/hadoop/mapred/TestWebUIAuthorization.java
Author: omalley
Date: Fri Mar 4 04:11:45 2011
New Revision: 1077406
URL: http://svn.apache.org/viewvc?rev=1077406&view=rev
Log:
commit 1f252b9b45c42c7381b9c3dceea947f3672662bc
Author: Vinod Kumar <vi...@yahoo-inc.com>
Date: Mon Apr 19 13:15:50 2010 +0530
MAPREDUCE-1657. From https://issues.apache.org/jira/secure/attachment/12442135/MR1657.20S.1.patch
+++ b/YAHOO-CHANGES.txt
+ MAPREDUCE-1657. After task logs directory is deleted, tasklog servlet
+ displays wrong error message about job ACLs. (Ravi Gummadi via vinodkv)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestWebUIAuthorization.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java?rev=1077406&r1=1077405&r2=1077406&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java Fri Mar 4 04:11:45 2011
@@ -31,7 +31,6 @@ import javax.servlet.http.HttpServletRes
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.mapreduce.JobACL;
-import org.apache.hadoop.mapreduce.JobContext;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
@@ -129,7 +128,8 @@ public class TaskLogServlet extends Http
constructJobACLs(conf).get(JobACL.VIEW_JOB);
String jobOwner = conf.get("user.name");
- UserGroupInformation callerUGI = UserGroupInformation.createRemoteUser(user);
+ UserGroupInformation callerUGI =
+ UserGroupInformation.createRemoteUser(user);
tracker.getJobACLsManager().checkAccess(jobId, callerUGI, JobACL.VIEW_JOB,
jobOwner, jobViewACL);
@@ -138,11 +138,21 @@ public class TaskLogServlet extends Http
/**
* Builds a Configuration object by reading the xml file.
* This doesn't load the default resources.
+ *
+ * Returns null if job-acls.xml is not there in userlogs/$jobid/attempt-dir on
+ * local file system. This can happen when we restart the cluster with job
+ * level authorization enabled(but was disabled on earlier cluster) and
+ * viewing task logs of old jobs(i.e. jobs finished on earlier unsecure
+ * cluster).
*/
static Configuration getConfFromJobACLsFile(String attemptIdStr) {
- Configuration conf = new Configuration(false);
- conf.addResource(new Path(TaskLog.getAttemptDir(attemptIdStr).toString(),
- TaskRunner.jobACLsFile));
+ Path jobAclsFilePath = new Path(
+ TaskLog.getAttemptDir(attemptIdStr).toString(), TaskRunner.jobACLsFile);
+ Configuration conf = null;
+ if (new File(jobAclsFilePath.toUri().getPath()).exists()) {
+ conf = new Configuration(false);
+ conf.addResource(jobAclsFilePath);
+ }
return conf;
}
@@ -167,24 +177,34 @@ public class TaskLogServlet extends Http
}
TaskAttemptID attemptId = TaskAttemptID.forName(attemptIdStr);
+ if (!TaskLog.getAttemptDir(attemptIdStr).exists()) {
+ response.sendError(HttpServletResponse.SC_GONE,
+ "Task log directory for task " + attemptId +
+ " does not exist. May be cleaned up by Task Tracker, if older logs.");
+ return;
+ }
// get user name who is accessing
String user = request.getRemoteUser();
if (user != null) {
- // get jobACLConf from ACLs file
- JobConf jobACLConf = new JobConf(getConfFromJobACLsFile(attemptIdStr));
ServletContext context = getServletContext();
TaskTracker taskTracker = (TaskTracker) context.getAttribute(
"task.tracker");
- JobID jobId = attemptId.getJobID();
-
- try {
- checkAccessForTaskLogs(jobACLConf, user, jobId, taskTracker);
- } catch (AccessControlException e) {
- String errMsg = "User " + user + " failed to view tasklogs of job " +
- jobId + "!\n\n" + e.getMessage();
- response.sendError(HttpServletResponse.SC_UNAUTHORIZED, errMsg);
- return;
+ // get jobACLConf from ACLs file
+ Configuration jobACLConf = getConfFromJobACLsFile(attemptIdStr);
+ // Ignore authorization if job-acls.xml is not found
+ if (jobACLConf != null) {
+ JobID jobId = attemptId.getJobID();
+
+ try {
+ checkAccessForTaskLogs(new JobConf(jobACLConf), user, jobId,
+ taskTracker);
+ } catch (AccessControlException e) {
+ String errMsg = "User " + user + " failed to view tasklogs of job " +
+ jobId + "!\n\n" + e.getMessage();
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED, errMsg);
+ return;
+ }
}
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestWebUIAuthorization.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestWebUIAuthorization.java?rev=1077406&r1=1077405&r2=1077406&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestWebUIAuthorization.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestWebUIAuthorization.java Fri Mar 4 04:11:45 2011
@@ -28,13 +28,12 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.http.TestHttpServer.DummyFilterInitializer;
import org.apache.hadoop.mapred.JobHistory.Keys;
import org.apache.hadoop.mapred.JobHistory.TaskAttempt;
import org.apache.hadoop.mapreduce.JobContext;
-import org.apache.hadoop.mapreduce.Job;
import org.apache.hadoop.examples.SleepJob;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
@@ -47,7 +46,6 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
-import java.util.Map.Entry;
public class TestWebUIAuthorization extends ClusterMapReduceTestCase {
@@ -366,9 +364,25 @@ public class TestWebUIAuthorization exte
+ attempt.toString() + "&logFile=" + urlEncodedHistoryFileName, "GET");
// validate access to tasklogs
- validateViewJob(TaskLogServlet.getTaskLogUrl("localhost",
- attemptsMap.get(attempt).get(Keys.HTTP_PORT),
- attempt.toString()), "GET");
+ String taskLogURL = TaskLogServlet.getTaskLogUrl("localhost",
+ attemptsMap.get(attempt).get(Keys.HTTP_PORT), attempt.toString());
+ validateViewJob(taskLogURL, "GET");
+
+ // delete job-acls.xml file from the task log dir of attempt and verify
+ // if unauthorized users can view task logs of attempt.
+ Path jobACLsFilePath = new Path(TaskLog.getAttemptDir(attempt).
+ toString(), TaskRunner.jobACLsFile);
+ new File(jobACLsFilePath.toUri().getPath()).delete();
+ assertEquals("Incorrect return code for " + unauthorizedUser,
+ HttpURLConnection.HTTP_OK, getHttpStatusCode(taskLogURL,
+ unauthorizedUser, "GET"));
+
+ // delete the whole task log dir of attempt and verify that we get
+ // correct response code (i.e. HTTP_GONE) when task logs are accessed.
+ FileUtil.fullyDelete(TaskLog.getAttemptDir(attempt));
+ assertEquals("Incorrect return code for " + jobSubmitter,
+ HttpURLConnection.HTTP_GONE, getHttpStatusCode(taskLogURL,
+ jobSubmitter, "GET"));
}
}