You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tez.apache.org by je...@apache.org on 2015/11/05 00:21:19 UTC
tez git commit: TEZ-2922. Tez Live UI gives access denied for admins
Repository: tez
Updated Branches:
refs/heads/master 34f9bdaa3 -> b120e8e84
TEZ-2922. Tez Live UI gives access denied for admins
Project: http://git-wip-us.apache.org/repos/asf/tez/repo
Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/b120e8e8
Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/b120e8e8
Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/b120e8e8
Branch: refs/heads/master
Commit: b120e8e840489baa5b3316bbcd6e34262e579024
Parents: 34f9bda
Author: Jonathan Eagles <je...@yahoo-inc.com>
Authored: Wed Nov 4 17:20:52 2015 -0600
Committer: Jonathan Eagles <je...@yahoo-inc.com>
Committed: Wed Nov 4 17:20:52 2015 -0600
----------------------------------------------------------------------
CHANGES.txt | 2 +
docs/src/site/markdown/tez_acls.md | 11 +++++
.../common/security/ACLConfigurationParser.java | 10 ++--
.../apache/tez/common/security/ACLManager.java | 12 +++--
.../org/apache/tez/common/security/ACLType.java | 2 +
.../security/TestACLConfigurationParser.java | 37 +++++++++++++--
.../tez/common/security/TestACLManager.java | 50 +++++++++++++++++++-
7 files changed, 110 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index d96fcae..35528c2 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -7,6 +7,7 @@ INCOMPATIBLE CHANGES
TEZ-2679. Admin forms of launch env settings
ALL CHANGES:
+ TEZ-2922. Tez Live UI gives access denied for admins
TEZ-2849. Implement Specific Workaround for JDK-8026049 & JDK-8073093.
TEZ-2828. Fix typo in "Shuffle assigned " log statement in shuffle.orderedgrouped.Shuffle.
TEZ-2909. Tez UI: Application link in All DAGs table is disable when applicationhistory is unavailable
@@ -235,6 +236,7 @@ INCOMPATIBLE CHANGES
TEZ-2679. Admin forms of launch env settings
ALL CHANGES
+ TEZ-2922. Tez Live UI gives access denied for admins
TEZ-2828. Fix typo in "Shuffle assigned " log statement in shuffle.orderedgrouped.Shuffle.
TEZ-2900. Ignore V_INPUT_DATA_INFORMATION when vertex is in Failed/Killed/Error
TEZ-2904. Pig can't specify task specific command opts
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/docs/src/site/markdown/tez_acls.md
----------------------------------------------------------------------
diff --git a/docs/src/site/markdown/tez_acls.md b/docs/src/site/markdown/tez_acls.md
index 7264c58..52d9661 100644
--- a/docs/src/site/markdown/tez_acls.md
+++ b/docs/src/site/markdown/tez_acls.md
@@ -51,6 +51,17 @@ By default, ACLs are always enabled in Tez. To disable ACLs, set the following c
> <value>false</value><br/>
> </property><br/>
+### YARN Administration ACLs
+
+YARN Administration ACLs are driven by configuration at the cluster level. YARN administrators are granted AM level view and modify permissions. One current limitation is that a modification to the cluster wide yarn.admin.acl configuration while an AM is running is not reflected in the AM view and modify ACLs. To setup the ACLs, the following properties need to be defined:
+
+> <property><br/>
+> <name>yarn.admin.acl</name><br/>
+> <value></value><br/>
+> </property><br/>
+
+The format of the value is a comma-separated list of users and groups with the users and groups separated by a single whitespace. e.g. "user1,user2 group1,group2". To allow all users to do a given operation, the value "*" can be specified.
+
### AM/Session Level ACLs
AM/Session level ACLs are driven by configuration. To setup the ACLs, the following properties need to be defined:
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java
index 1c1d7f6..d788a46 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLConfigurationParser.java
@@ -30,6 +30,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hadoop.classification.InterfaceAudience.Private;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.tez.common.TezCommonUtils;
import org.apache.tez.dag.api.TezConfiguration;
import org.apache.tez.dag.api.TezConstants;
@@ -63,9 +64,11 @@ public class ACLConfigurationParser {
private void parse(boolean dagACLs) {
if (!dagACLs) {
+ parseACLType(YarnConfiguration.YARN_ADMIN_ACL, ACLType.YARN_ADMIN_ACL);
parseACLType(TezConfiguration.TEZ_AM_VIEW_ACLS, ACLType.AM_VIEW_ACL);
parseACLType(TezConfiguration.TEZ_AM_MODIFY_ACLS, ACLType.AM_MODIFY_ACL);
} else {
+ parseACLType(YarnConfiguration.YARN_ADMIN_ACL, ACLType.YARN_ADMIN_ACL);
parseACLType(TezConstants.TEZ_DAG_VIEW_ACLS, ACLType.DAG_VIEW_ACL);
parseACLType(TezConstants.TEZ_DAG_MODIFY_ACLS, ACLType.DAG_MODIFY_ACL);
}
@@ -111,14 +114,11 @@ public class ACLConfigurationParser {
return;
}
if (userListStr.length() >= 1) {
- allowedUsers.put(aclType,
- Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(userListStr))));
+ allowedUsers.put(aclType, Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(userListStr))));
}
if (groupListStr != null && groupListStr.length() >= 1) {
- allowedGroups.put(aclType,
- Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(groupListStr))));
+ allowedGroups.put(aclType, Sets.newLinkedHashSet(Arrays.asList(TezCommonUtils.getTrimmedStrings(groupListStr))));
}
-
}
public Map<ACLType, Set<String>> getAllowedUsers() {
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
index cebb17a..e1c7314 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
@@ -141,21 +141,25 @@ public class ACLManager {
}
public boolean checkAMViewAccess(UserGroupInformation ugi) {
- return checkAccess(ugi, ACLType.AM_VIEW_ACL);
+ return checkAccess(ugi, ACLType.AM_VIEW_ACL)
+ || checkAccess(ugi, ACLType.YARN_ADMIN_ACL);
}
public boolean checkAMModifyAccess(UserGroupInformation ugi) {
- return checkAccess(ugi, ACLType.AM_MODIFY_ACL);
+ return checkAccess(ugi, ACLType.AM_MODIFY_ACL)
+ || checkAccess(ugi, ACLType.YARN_ADMIN_ACL);
}
public boolean checkDAGViewAccess(UserGroupInformation ugi) {
return checkAccess(ugi, ACLType.AM_VIEW_ACL)
- || checkAccess(ugi, ACLType.DAG_VIEW_ACL);
+ || checkAccess(ugi, ACLType.DAG_VIEW_ACL)
+ || checkAccess(ugi, ACLType.YARN_ADMIN_ACL);
}
public boolean checkDAGModifyAccess(UserGroupInformation ugi) {
return checkAccess(ugi, ACLType.AM_MODIFY_ACL)
- || checkAccess(ugi, ACLType.DAG_MODIFY_ACL);
+ || checkAccess(ugi, ACLType.DAG_MODIFY_ACL)
+ || checkAccess(ugi, ACLType.YARN_ADMIN_ACL);
}
public Map<ApplicationAccessType, String> toYARNACls() {
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java
index fd00f22..0202e1b 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLType.java
@@ -25,6 +25,8 @@ import org.apache.hadoop.classification.InterfaceAudience.Private;
*/
@Private
public enum ACLType {
+ /** YARN admin (view/modify) permissions on the Application Master */
+ YARN_ADMIN_ACL,
/** View permissions on the Application Master */
AM_VIEW_ACL,
/** Modify permissions on the Application Master */
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java
----------------------------------------------------------------------
diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java
index a535d18..f1a2c49 100644
--- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java
+++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLConfigurationParser.java
@@ -19,6 +19,7 @@
package org.apache.tez.common.security;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.tez.dag.api.TezConfiguration;
import org.apache.tez.dag.api.TezConstants;
import org.junit.Assert;
@@ -30,8 +31,10 @@ public class TestACLConfigurationParser {
public void testACLConfigParser() {
Configuration conf = new Configuration(false);
+ String adminACLs = "admin1,admin4, admgrp3,admgrp4,admgrp5 ";
String viewACLs = "user1,user4, grp3,grp4,grp5 ";
String modifyACLs = "user3 ";
+ conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACLs);
conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
ACLConfigurationParser parser = new ACLConfigurationParser(conf);
@@ -40,11 +43,16 @@ public class TestACLConfigurationParser {
Assert.assertTrue(parser.getAllowedUsers().get(ACLType.AM_VIEW_ACL).contains("user1"));
Assert.assertFalse(parser.getAllowedUsers().get(ACLType.AM_VIEW_ACL).contains("user3"));
Assert.assertTrue(parser.getAllowedUsers().get(ACLType.AM_VIEW_ACL).contains("user4"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4"));
Assert.assertFalse(parser.getAllowedGroups().isEmpty());
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp3"));
Assert.assertFalse(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp6"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp4"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp5"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5"));
conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
parser = new ACLConfigurationParser(conf);
@@ -60,31 +68,43 @@ public class TestACLConfigurationParser {
Assert.assertFalse(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp6"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp4"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp5"));
- Assert.assertNull(parser.getAllowedGroups().get(ACLType.AM_MODIFY_ACL));
-
+ Assert.assertFalse(parser.getAllowedGroups().isEmpty());
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5"));
}
@Test(timeout = 5000)
public void testGroupsOnly() {
Configuration conf = new Configuration(false);
+ String adminACLs = "admin1,admin4, admgrp3,admgrp4,admgrp5 ";
String viewACLs = " grp3,grp4,grp5";
conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
+ conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACLs);
+
ACLConfigurationParser parser = new ACLConfigurationParser(conf);
- Assert.assertTrue(parser.getAllowedUsers().isEmpty());
+ Assert.assertFalse(parser.getAllowedUsers().isEmpty());
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4"));
Assert.assertFalse(parser.getAllowedGroups().isEmpty());
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp3"));
Assert.assertFalse(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp6"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp4"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.AM_VIEW_ACL).contains("grp5"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5"));
}
@Test(timeout = 5000)
public void testDAGACLConfigParser() {
Configuration conf = new Configuration(false);
+ String adminACLs = "admin1,admin4, admgrp3,admgrp4,admgrp5 ";
String viewACLs = "user1,user4 grp3,grp4,grp5";
String modifyACLs = "user3 grp4";
conf.set(TezConstants.TEZ_DAG_VIEW_ACLS, viewACLs);
+ conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACLs);
ACLConfigurationParser parser = new ACLConfigurationParser(conf, true);
Assert.assertTrue(parser.getAllowedUsers().containsKey(ACLType.DAG_VIEW_ACL));
@@ -92,11 +112,16 @@ public class TestACLConfigurationParser {
Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user1"));
Assert.assertFalse(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user3"));
Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user4"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4"));
Assert.assertFalse(parser.getAllowedGroups().isEmpty());
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp3"));
Assert.assertFalse(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp6"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp4"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp5"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5"));
conf.set(TezConstants.TEZ_DAG_MODIFY_ACLS, modifyACLs);
parser = new ACLConfigurationParser(conf, true);
@@ -107,6 +132,8 @@ public class TestACLConfigurationParser {
Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_VIEW_ACL).contains("user4"));
Assert.assertFalse(parser.getAllowedUsers().get(ACLType.DAG_MODIFY_ACL).contains("user1"));
Assert.assertTrue(parser.getAllowedUsers().get(ACLType.DAG_MODIFY_ACL).contains("user3"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin1"));
+ Assert.assertTrue(parser.getAllowedUsers().get(ACLType.YARN_ADMIN_ACL).contains("admin4"));
Assert.assertFalse(parser.getAllowedGroups().isEmpty());
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp3"));
Assert.assertFalse(parser.getAllowedGroups().get(ACLType.DAG_VIEW_ACL).contains("grp6"));
@@ -115,7 +142,9 @@ public class TestACLConfigurationParser {
Assert.assertNotNull(parser.getAllowedGroups().get(ACLType.DAG_MODIFY_ACL));
Assert.assertFalse(parser.getAllowedGroups().get(ACLType.DAG_MODIFY_ACL).contains("grp6"));
Assert.assertTrue(parser.getAllowedGroups().get(ACLType.DAG_MODIFY_ACL).contains("grp4"));
-
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp3"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp4"));
+ Assert.assertTrue(parser.getAllowedGroups().get(ACLType.YARN_ADMIN_ACL).contains("admgrp5"));
}
}
http://git-wip-us.apache.org/repos/asf/tez/blob/b120e8e8/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
index 56cd465..a88e801 100644
--- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
+++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
@@ -25,6 +25,7 @@ import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.tez.dag.api.TezConfiguration;
import org.apache.tez.dag.api.TezConstants;
import org.junit.Assert;
@@ -161,6 +162,7 @@ public class TestACLManager {
String[] groups1 = new String[] {"grp1", "grp2"};
String[] groups2 = new String[] {"grp3", "grp4"};
String[] groups3 = new String[] {"grp5", "grp6"};
+ String[] admingroup1 = new String[] {"admgrp1"};
UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups);
UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2
@@ -169,14 +171,19 @@ public class TestACLManager {
UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6
UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);
+ UserGroupInformation admuser1 = UserGroupInformation.createUserForTesting("admuser1", admingroup1);
+ UserGroupInformation admuser2 = UserGroupInformation.createUserForTesting("admuser2", noGroups);
Configuration conf = new Configuration(false);
// View ACLs: user1, user4, grp3, grp4.
String viewACLs = "user1,user4,, grp3,grp4 ";
// Modify ACLs: user3, grp6, grp7
String modifyACLs = "user3 grp6,grp7";
+ // YARN Admin ACLs: admuser1, admgrp1
+ String yarnAdminACLs = "admuser2, admgrp1 ";
conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
+ conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs);
ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf);
@@ -187,6 +194,8 @@ public class TestACLManager {
Assert.assertTrue(aclManager.checkAMViewAccess(user4));
Assert.assertFalse(aclManager.checkAMViewAccess(user5));
Assert.assertFalse(aclManager.checkAMViewAccess(user6));
+ Assert.assertTrue(aclManager.checkAMViewAccess(admuser1));
+ Assert.assertTrue(aclManager.checkAMViewAccess(admuser2));
Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser));
Assert.assertFalse(aclManager.checkAMModifyAccess(user1));
@@ -195,6 +204,8 @@ public class TestACLManager {
Assert.assertFalse(aclManager.checkAMModifyAccess(user4));
Assert.assertTrue(aclManager.checkAMModifyAccess(user5));
Assert.assertFalse(aclManager.checkAMModifyAccess(user6));
+ Assert.assertTrue(aclManager.checkAMModifyAccess(admuser1));
+ Assert.assertTrue(aclManager.checkAMModifyAccess(admuser2));
Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser));
Assert.assertTrue(aclManager.checkDAGViewAccess(user1));
@@ -203,6 +214,8 @@ public class TestACLManager {
Assert.assertTrue(aclManager.checkDAGViewAccess(user4));
Assert.assertFalse(aclManager.checkDAGViewAccess(user5));
Assert.assertFalse(aclManager.checkDAGViewAccess(user6));
+ Assert.assertTrue(aclManager.checkDAGViewAccess(admuser1));
+ Assert.assertTrue(aclManager.checkDAGViewAccess(admuser2));
Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser));
Assert.assertFalse(aclManager.checkDAGModifyAccess(user1));
@@ -211,7 +224,8 @@ public class TestACLManager {
Assert.assertFalse(aclManager.checkDAGModifyAccess(user4));
Assert.assertTrue(aclManager.checkDAGModifyAccess(user5));
Assert.assertFalse(aclManager.checkDAGModifyAccess(user6));
-
+ Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser1));
+ Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser2));
}
@Test(timeout = 5000)
@@ -219,6 +233,7 @@ public class TestACLManager {
String[] groups1 = new String[] {"grp1", "grp2"};
String[] groups2 = new String[] {"grp3", "grp4"};
String[] groups3 = new String[] {"grp5", "grp6"};
+ String[] admingroup1 = new String[] {"admgrp1"};
UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups);
UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2
@@ -227,14 +242,19 @@ public class TestACLManager {
UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6
UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);
+ UserGroupInformation admuser1 = UserGroupInformation.createUserForTesting("admuser1", admingroup1);
+ UserGroupInformation admuser2 = UserGroupInformation.createUserForTesting("admuser2", noGroups);
Configuration conf = new Configuration(false);
// View ACLs: user1, user4, grp3, grp4.
String viewACLs = "user1,user4,, grp3,grp4 ";
// Modify ACLs: user3, grp6, grp7
String modifyACLs = "user3 grp6,grp7";
+ // YARN Admin ACLs: admuser1, admgrp1
+ String yarnAdminACLs = "admuser2, admgrp1 ";
conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
+ conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs);
// DAG View ACLs: user1, user4, grp3, grp4.
String dagViewACLs = "user6, grp5 ";
@@ -256,6 +276,8 @@ public class TestACLManager {
Assert.assertTrue(aclManager.checkAMViewAccess(user4));
Assert.assertFalse(aclManager.checkAMViewAccess(user5));
Assert.assertFalse(aclManager.checkAMViewAccess(user6));
+ Assert.assertTrue(aclManager.checkAMViewAccess(admuser1));
+ Assert.assertTrue(aclManager.checkAMViewAccess(admuser2));
Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser));
Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser));
@@ -265,6 +287,8 @@ public class TestACLManager {
Assert.assertFalse(aclManager.checkAMModifyAccess(user4));
Assert.assertTrue(aclManager.checkAMModifyAccess(user5));
Assert.assertFalse(aclManager.checkAMModifyAccess(user6));
+ Assert.assertTrue(aclManager.checkAMModifyAccess(admuser1));
+ Assert.assertTrue(aclManager.checkAMModifyAccess(admuser2));
Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser));
Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser));
@@ -274,6 +298,8 @@ public class TestACLManager {
Assert.assertTrue(aclManager.checkDAGViewAccess(user4));
Assert.assertTrue(aclManager.checkDAGViewAccess(user5));
Assert.assertTrue(aclManager.checkDAGViewAccess(user6));
+ Assert.assertTrue(aclManager.checkDAGViewAccess(admuser1));
+ Assert.assertTrue(aclManager.checkDAGViewAccess(admuser2));
Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser));
Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser));
@@ -283,6 +309,8 @@ public class TestACLManager {
Assert.assertFalse(aclManager.checkDAGModifyAccess(user4));
Assert.assertTrue(aclManager.checkDAGModifyAccess(user5));
Assert.assertTrue(aclManager.checkDAGModifyAccess(user6));
+ Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser1));
+ Assert.assertTrue(aclManager.checkDAGModifyAccess(admuser2));
}
@@ -309,6 +337,26 @@ public class TestACLManager {
}
@Test(timeout = 5000)
+ public void testAdminWildCardCheck() {
+ Configuration conf = new Configuration(false);
+ String yarnAdminACLs = " * ";
+ conf.set(YarnConfiguration.YARN_ADMIN_ACL, yarnAdminACLs);
+
+ UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups);
+ UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups);
+
+ ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf);
+ Assert.assertTrue(aclManager.checkAMViewAccess(a1));
+ Assert.assertTrue(aclManager.checkAMViewAccess(u1));
+ Assert.assertTrue(aclManager.checkAMModifyAccess(a1));
+ Assert.assertTrue(aclManager.checkAMModifyAccess(u1));
+ Assert.assertTrue(aclManager.checkDAGViewAccess(a1));
+ Assert.assertTrue(aclManager.checkDAGViewAccess(u1));
+ Assert.assertTrue(aclManager.checkDAGModifyAccess(a1));
+ Assert.assertTrue(aclManager.checkDAGModifyAccess(u1));
+ }
+
+ @Test(timeout = 5000)
public void testACLsDisabled() {
Configuration conf = new Configuration(false);
conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false);