You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tez.apache.org by hi...@apache.org on 2015/02/24 06:45:18 UTC
tez git commit: TEZ-2135. ACL checks handled incorrectly in
AMWebController. (hitesh)
Repository: tez
Updated Branches:
refs/heads/master c9a74d77b -> c78feed0d
TEZ-2135. ACL checks handled incorrectly in AMWebController. (hitesh)
Project: http://git-wip-us.apache.org/repos/asf/tez/repo
Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/c78feed0
Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/c78feed0
Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/c78feed0
Branch: refs/heads/master
Commit: c78feed0d0954650de64b4a514a5218062cdcb6a
Parents: c9a74d7
Author: Hitesh Shah <hi...@apache.org>
Authored: Mon Feb 23 21:45:05 2015 -0800
Committer: Hitesh Shah <hi...@apache.org>
Committed: Mon Feb 23 21:45:05 2015 -0800
----------------------------------------------------------------------
CHANGES.txt | 1 +
.../apache/tez/common/security/ACLManager.java | 4 ++
.../apache/tez/dag/app/web/AMWebController.java | 14 +++---
.../tez/dag/app/web/TestAMWebController.java | 47 ++++++++++++++++++--
4 files changed, 57 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index c2d5e75..bf39b98 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -71,6 +71,7 @@ Release 0.6.1: Unreleased
INCOMPATIBLE CHANGES
ALL CHANGES:
+ TEZ-2135. ACL checks handled incorrectly in AMWebController.
TEZ-1990. Tez UI: DAG details page shows Nan for end time when a DAG is running.
TEZ-2116. Tez UI: dags page filter does not work if more than one filter is specified.
TEZ-2106. TEZ UI: Display data load time, and add a refresh button for items that can be refreshed.
http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
index c6a8f26..f91812e 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
@@ -93,6 +93,10 @@ public class ACLManager {
}
}
+ public boolean isAclsEnabled() {
+ return aclsEnabled;
+ }
+
@VisibleForTesting
boolean checkAccess(UserGroupInformation ugi, ACLType aclType) {
http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java b/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
index b3e404a..334df0b 100644
--- a/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
+++ b/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
@@ -139,6 +139,14 @@ public class AMWebController extends Controller {
}
@VisibleForTesting
+ static boolean _hasAccess(UserGroupInformation callerUGI, AppContext appContext) {
+ if (callerUGI == null) {
+ // Allow anonymous access iff acls disabled
+ return !appContext.getAMACLManager().isAclsEnabled();
+ }
+ return appContext.getAMACLManager().checkDAGViewAccess(callerUGI);
+ }
+
public boolean hasAccess() {
String remoteUser = request().getRemoteUser();
UserGroupInformation callerUGI = null;
@@ -146,11 +154,7 @@ public class AMWebController extends Controller {
callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
}
- if (callerUGI != null && appContext.getAMACLManager().checkDAGViewAccess(callerUGI)) {
- return false;
- }
-
- return true;
+ return _hasAccess(callerUGI, appContext);
}
public void getDagProgress() {
http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java b/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
index 588eb21..fc17d3e 100644
--- a/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
+++ b/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
@@ -35,7 +35,9 @@ import javax.servlet.http.HttpServletResponse;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.yarn.webapp.Controller;
+import org.apache.tez.common.security.ACLManager;
import org.apache.tez.dag.api.TezConfiguration;
import org.apache.tez.dag.app.AppContext;
import org.apache.tez.dag.app.dag.DAG;
@@ -53,7 +55,8 @@ public class TestAMWebController {
AppContext mockAppContext;
Controller.RequestContext mockRequestContext;
HttpServletResponse mockResponse;
- HttpServletRequest mockRequst;
+ HttpServletRequest mockRequest;
+ String[] userGroups = {};
@Before
public void setup() {
@@ -65,7 +68,7 @@ public class TestAMWebController {
when(mockAppContext.getAMConf()).thenReturn(conf);
mockRequestContext = mock(Controller.RequestContext.class);
mockResponse = mock(HttpServletResponse.class);
- mockRequst = mock(HttpServletRequest.class);
+ mockRequest = mock(HttpServletRequest.class);
}
@Test(timeout = 5000)
@@ -92,8 +95,8 @@ public class TestAMWebController {
doReturn(false).when(spy).hasAccess();
doNothing().when(spy).setCorsHeaders();
doReturn(mockResponse).when(spy).response();
- doReturn(mockRequst).when(spy).request();
- doReturn("dummyuser").when(mockRequst).getRemoteUser();
+ doReturn(mockRequest).when(spy).request();
+ doReturn("dummyuser").when(mockRequest).getRemoteUser();
spy.getDagProgress();
verify(mockResponse).sendError(eq(HttpServletResponse.SC_UNAUTHORIZED), anyString());
@@ -166,4 +169,40 @@ public class TestAMWebController {
Assert.assertTrue("vertex_1422960590892_0007_42_43".equals(progressInfo.getId()));
Assert.assertEquals(66.0f, progressInfo.getProgress(), 0.1);
}
+
+ @Test (timeout = 5000)
+ public void testHasAccessWithAclsDisabled() {
+ Configuration conf = new Configuration(false);
+ conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false);
+ ACLManager aclManager = new ACLManager("amUser", conf);
+
+ when(mockAppContext.getAMACLManager()).thenReturn(aclManager);
+
+ Assert.assertEquals(true, AMWebController._hasAccess(null, mockAppContext));
+
+ UserGroupInformation mockUser = UserGroupInformation.createUserForTesting(
+ "mockUser", userGroups);
+ Assert.assertEquals(true, AMWebController._hasAccess(mockUser, mockAppContext));
+ }
+
+ @Test (timeout = 5000)
+ public void testHasAccess() {
+ Configuration conf = new Configuration(false);
+ conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, true);
+ ACLManager aclManager = new ACLManager("amUser", conf);
+
+ when(mockAppContext.getAMACLManager()).thenReturn(aclManager);
+
+ Assert.assertEquals(false, AMWebController._hasAccess(null, mockAppContext));
+
+ UserGroupInformation mockUser = UserGroupInformation.createUserForTesting(
+ "mockUser", userGroups);
+ Assert.assertEquals(false, AMWebController._hasAccess(mockUser, mockAppContext));
+
+ UserGroupInformation testUser = UserGroupInformation.createUserForTesting(
+ "amUser", userGroups);
+ Assert.assertEquals(true, AMWebController._hasAccess(testUser, mockAppContext));
+ }
+
+
}