You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by br...@apache.org on 2021/04/02 16:02:28 UTC
[hadoop] branch branch-3.3 updated: MAPREDUCE-7199. HsJobsBlock
reuse JobACLsManager for checkAccess. Contributed by Bilwa S T
This is an automated email from the ASF dual-hosted git repository.
brahma pushed a commit to branch branch-3.3
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.3 by this push:
new e079aaa MAPREDUCE-7199. HsJobsBlock reuse JobACLsManager for checkAccess. Contributed by Bilwa S T
e079aaa is described below
commit e079aaa8200d840c522e391b650d2b8e833ece89
Author: Surendra Singh Lilhore <su...@apache.org>
AuthorDate: Sat Apr 18 19:42:20 2020 +0530
MAPREDUCE-7199. HsJobsBlock reuse JobACLsManager for checkAccess. Contributed by Bilwa S T
(cherry picked from commit a1b0697d379d33223ec1a46dfef31d6d226169bb)
---
.../org/apache/hadoop/mapred/JobACLsManager.java | 2 +-
.../hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java | 31 +++++-----------------
2 files changed, 7 insertions(+), 26 deletions(-)
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
index 7373f7a..1761500 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
@@ -117,7 +117,7 @@ public class JobACLsManager {
// Allow Job-owner for any operation on the job
if (isMRAdmin(callerUGI)
|| user.equals(jobOwner)
- || jobACL.isUserAllowed(callerUGI)) {
+ || (null != jobACL && jobACL.isUserAllowed(callerUGI))) {
return true;
}
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
index 3f4daf9..6a83ac2 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/webapp/HsJobsBlock.java
@@ -23,12 +23,12 @@ import java.util.Date;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.mapreduce.MRConfig;
+import org.apache.hadoop.mapred.JobACLsManager;
+import org.apache.hadoop.mapreduce.JobACL;
import org.apache.hadoop.mapreduce.v2.app.AppContext;
import org.apache.hadoop.mapreduce.v2.app.job.Job;
import org.apache.hadoop.mapreduce.v2.hs.webapp.dao.JobInfo;
import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.util.Times;
@@ -49,8 +49,7 @@ public class HsJobsBlock extends HtmlBlock {
new SimpleDateFormat("yyyy.MM.dd HH:mm:ss z");
private UserGroupInformation ugi;
private boolean isFilterAppListByUserEnabled;
- private boolean areAclsEnabled;
- private AccessControlList adminAclList;
+ private JobACLsManager aclsManager;
@Inject
HsJobsBlock(Configuration conf, AppContext appCtx, ViewContext ctx) {
@@ -58,8 +57,7 @@ public class HsJobsBlock extends HtmlBlock {
appContext = appCtx;
isFilterAppListByUserEnabled = conf
.getBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, false);
- areAclsEnabled = conf.getBoolean(MRConfig.MR_ACLS_ENABLED, false);
- adminAclList = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " "));
+ aclsManager = new JobACLsManager(conf);
}
/*
@@ -94,8 +92,8 @@ public class HsJobsBlock extends HtmlBlock {
JobInfo job = new JobInfo(j);
ugi = getCallerUGI();
// Allow to list only per-user apps if incoming ugi has permission.
- if (isFilterAppListByUserEnabled && ugi != null
- && !checkAccess(job.getUserName())) {
+ if (isFilterAppListByUserEnabled && ugi != null && !aclsManager
+ .checkAccess(ugi, JobACL.VIEW_JOB, job.getUserName(), null)) {
continue;
}
jobsTableData.append("[\"")
@@ -160,21 +158,4 @@ public class HsJobsBlock extends HtmlBlock {
__().
__();
}
-
- private boolean checkAccess(String userName) {
- if(!areAclsEnabled) {
- return true;
- }
-
- // User could see its own job.
- if (ugi.getShortUserName().equals(userName)) {
- return true;
- }
-
- // Admin could also see all jobs
- if (adminAclList != null && adminAclList.isUserAllowed(ugi)) {
- return true;
- }
- return false;
- }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org