You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ab...@apache.org on 2019/09/02 04:46:21 UTC
[hadoop] branch trunk updated: YARN-7982. Do ACLs check while
retrieving entity-types per application. Contribued by Prabhu Joseph.
This is an automated email from the ASF dual-hosted git repository.
abmodi pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new bc27f7f YARN-7982. Do ACLs check while retrieving entity-types per application. Contribued by Prabhu Joseph.
bc27f7f is described below
commit bc27f7fb6da76b1b83e410de2bb8c1ecbd11b7f9
Author: Abhishek Modi <ab...@apache.org>
AuthorDate: Mon Sep 2 10:15:59 2019 +0530
YARN-7982. Do ACLs check while retrieving entity-types per application. Contribued by Prabhu Joseph.
---
.../reader/TimelineReaderManager.java | 2 +-
.../reader/TimelineReaderWebServices.java | 9 +-
.../storage/FileSystemTimelineReaderImpl.java | 4 +
.../reader/TestTimelineReaderWebServicesACL.java | 179 +++++++++++++++++++++
4 files changed, 189 insertions(+), 5 deletions(-)
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java
index 06da543..f0a01f2 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderManager.java
@@ -206,7 +206,7 @@ public class TimelineReaderManager extends AbstractService {
public Set<String> getEntityTypes(TimelineReaderContext context)
throws IOException{
context.setClusterId(getClusterID(context.getClusterId(), getConfig()));
- return reader.getEntityTypes(new TimelineReaderContext(context));
+ return reader.getEntityTypes(context);
}
/**
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java
index 7433692..5f8f33a 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/reader/TimelineReaderWebServices.java
@@ -3358,10 +3358,11 @@ public class TimelineReaderWebServices {
TimelineReaderManager timelineReaderManager = getTimelineReaderManager();
Set<String> results = null;
try {
- results = timelineReaderManager.getEntityTypes(
- TimelineReaderWebServicesUtils.createTimelineReaderContext(
- clusterId, userId, flowName, flowRunId, appId,
- null, null, null));
+ TimelineReaderContext context = TimelineReaderWebServicesUtils.
+ createTimelineReaderContext(clusterId, userId, flowName, flowRunId,
+ appId, null, null, null);
+ results = timelineReaderManager.getEntityTypes(context);
+ checkAccess(getTimelineReaderManager(), callerUGI, context.getUserId());
succeeded = true;
} catch (Exception e) {
handleException(e, url, startTime, "flowrunid");
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/storage/FileSystemTimelineReaderImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/storage/FileSystemTimelineReaderImpl.java
index 012c9a1..ea7c32e 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/storage/FileSystemTimelineReaderImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/main/java/org/apache/hadoop/yarn/server/timelineservice/storage/FileSystemTimelineReaderImpl.java
@@ -432,6 +432,10 @@ public class FileSystemTimelineReaderImpl extends AbstractService
String flowRunPathStr = getFlowRunPath(context.getUserId(),
context.getClusterId(), context.getFlowName(), context.getFlowRunId(),
context.getAppId());
+ if (context.getUserId() == null) {
+ context.setUserId(new Path(flowRunPathStr).getParent().getParent().
+ getName());
+ }
Path clusterIdPath = new Path(entitiesPath, context.getClusterId());
Path flowRunPath = new Path(clusterIdPath, flowRunPathStr);
Path appIdPath = new Path(flowRunPath, context.getAppId());
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesACL.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesACL.java
new file mode 100644
index 0000000..fbd042b
--- /dev/null
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice/src/test/java/org/apache/hadoop/yarn/server/timelineservice/reader/TestTimelineReaderWebServicesACL.java
@@ -0,0 +1,179 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.yarn.server.timelineservice.reader;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.reflect.UndeclaredThrowableException;
+import java.net.HttpURLConnection;
+import java.net.URI;
+import java.net.URL;
+
+import javax.ws.rs.core.MediaType;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
+import org.apache.hadoop.yarn.server.timelineservice.storage.FileSystemTimelineReaderImpl;
+import org.apache.hadoop.yarn.server.timelineservice.storage.TestFileSystemTimelineReaderImpl;
+import org.apache.hadoop.yarn.server.timelineservice.storage.TimelineReader;
+import org.apache.hadoop.yarn.webapp.YarnJacksonJaxbJsonProvider;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.sun.jersey.api.client.Client;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.ClientResponse.Status;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
+import com.sun.jersey.client.urlconnection.HttpURLConnectionFactory;
+import com.sun.jersey.client.urlconnection.URLConnectionClientHandler;
+
+/**
+ * Tests ACL check while retrieving entity-types per application.
+ */
+public class TestTimelineReaderWebServicesACL {
+
+ private static final String ROOT_DIR = new File("target",
+ TestTimelineReaderWebServicesACL.class.getSimpleName()).
+ getAbsolutePath();
+
+ private int serverPort;
+ private TimelineReaderServer server;
+ private static final String ADMIN = "yarn";
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ TestFileSystemTimelineReaderImpl.initializeDataDirectory(ROOT_DIR);
+ }
+
+ @AfterClass
+ public static void tearDown() throws Exception {
+ FileUtils.deleteDirectory(new File(ROOT_DIR));
+ }
+
+ @Before
+ public void init() throws Exception {
+ try {
+ Configuration config = new YarnConfiguration();
+ config.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
+ config.setFloat(YarnConfiguration.TIMELINE_SERVICE_VERSION, 2.0f);
+ config.set(YarnConfiguration.TIMELINE_SERVICE_READER_WEBAPP_ADDRESS,
+ "localhost:0");
+ config.set(YarnConfiguration.RM_CLUSTER_ID, "cluster1");
+ config.setClass(YarnConfiguration.TIMELINE_SERVICE_READER_CLASS,
+ FileSystemTimelineReaderImpl.class, TimelineReader.class);
+ config.set(FileSystemTimelineReaderImpl.TIMELINE_SERVICE_STORAGE_DIR_ROOT,
+ ROOT_DIR);
+ config.setBoolean(YarnConfiguration.FILTER_ENTITY_LIST_BY_USER, true);
+ config.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
+ config.set(YarnConfiguration.YARN_ADMIN_ACL, ADMIN);
+ server = new TimelineReaderServer();
+ server.init(config);
+ server.start();
+ serverPort = server.getWebServerPort();
+ } catch (Exception e) {
+ Assert.fail("Web server failed to start");
+ }
+ }
+
+ @After
+ public void stop() throws Exception {
+ if (server != null) {
+ server.stop();
+ server = null;
+ }
+ }
+
+ private static ClientResponse verifyHttpResponse(Client client, URI uri,
+ Status expectedStatus) {
+ ClientResponse resp =
+ client.resource(uri).accept(MediaType.APPLICATION_JSON)
+ .type(MediaType.APPLICATION_JSON).get(ClientResponse.class);
+ assertNotNull(resp);
+ assertEquals(resp.getStatusInfo().getStatusCode(),
+ expectedStatus.getStatusCode());
+ return resp;
+ }
+
+ private static Client createClient() {
+ ClientConfig cfg = new DefaultClientConfig();
+ cfg.getClasses().add(YarnJacksonJaxbJsonProvider.class);
+ return new Client(new URLConnectionClientHandler(
+ new DummyURLConnectionFactory()), cfg);
+ }
+
+ private static class DummyURLConnectionFactory
+ implements HttpURLConnectionFactory {
+ @Override
+ public HttpURLConnection getHttpURLConnection(final URL url)
+ throws IOException {
+ try {
+ return (HttpURLConnection)url.openConnection();
+ } catch (UndeclaredThrowableException e) {
+ throw new IOException(e.getCause());
+ }
+ }
+ }
+
+ @Test
+ public void testGetEntityTypes() throws Exception {
+ Client client = createClient();
+ try {
+ String unAuthorizedUser ="user2";
+ URI uri = URI.create("http://localhost:" + serverPort + "/ws/v2/" +
+ "timeline/apps/app1/entity-types?user.name="+unAuthorizedUser);
+ String msg = "User " + unAuthorizedUser
+ + " is not allowed to read TimelineService V2 data.";
+ ClientResponse resp = verifyHttpResponse(client, uri, Status.FORBIDDEN);
+ assertTrue(resp.getEntity(String.class).contains(msg));
+
+ String authorizedUser ="user1";
+ uri = URI.create("http://localhost:" + serverPort + "/ws/v2/" +
+ "timeline/apps/app1/entity-types?user.name="+authorizedUser);
+ verifyHttpResponse(client, uri, Status.OK);
+
+ uri = URI.create("http://localhost:" + serverPort + "/ws/v2/" +
+ "timeline/apps/app1/entity-types?user.name="+ADMIN);
+ verifyHttpResponse(client, uri, Status.OK);
+
+ // Verify with Query Parameter userid
+ uri = URI.create("http://localhost:" + serverPort + "/ws/v2/" +
+ "timeline/apps/app1/entity-types?user.name="+authorizedUser
+ + "&userid="+authorizedUser);
+ verifyHttpResponse(client, uri, Status.OK);
+
+ uri = URI.create("http://localhost:" + serverPort + "/ws/v2/" +
+ "timeline/apps/app1/entity-types?user.name="+authorizedUser
+ + "&userid="+unAuthorizedUser);
+ verifyHttpResponse(client, uri, Status.FORBIDDEN);
+ } finally {
+ client.destroy();
+ }
+ }
+
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org