You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:16:23 UTC
svn commit: r1077451 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
mapred/org/apache/hadoop/mapred/ test/org/apache/hadoop/mapred/
Author: omalley
Date: Fri Mar 4 04:16:22 2011
New Revision: 1077451
URL: http://svn.apache.org/viewvc?rev=1077451&view=rev
Log:
commit 0ca1570d27db1e1f45b25ca284070e8b8aeb213a
Author: Vinod Kumar <vi...@yahoo-inc.com>
Date: Fri May 7 23:50:08 2010 +0530
MAPREDUCE-1759. From https://issues.apache.org/jira/secure/attachment/12443983/1759.20S.1.patch.
+++ b/YAHOO-CHANGES.txt
+ MAPREDUCE-1759. Exception message for unauthorized user doing killJob,
+ killTask, setJobPriority needs to be improved. (gravi via vinodkv)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/ACLsManager.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/CompletedJobStatusStore.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JSPUtil.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestQueueManager.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/ACLsManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/ACLsManager.java?rev=1077451&r1=1077450&r2=1077451&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/ACLsManager.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/ACLsManager.java Fri Mar 4 04:16:22 2011
@@ -111,7 +111,7 @@ class ACLsManager {
*/
void checkAccess(JobInProgress job,
UserGroupInformation callerUGI, QueueOperation qOperation,
- JobACL jobOperation) throws AccessControlException {
+ JobACL jobOperation, String operationName) throws AccessControlException {
String queue = job.getProfile().getQueueName();
String jobId = job.getJobID().toString();
@@ -120,7 +120,7 @@ class ACLsManager {
AccessControlList jobAcl = jobStatus.getJobACLs().get(jobOperation);
checkAccess(jobId, callerUGI, queue, qOperation,
- jobOperation, jobOwner, jobAcl);
+ jobOperation, jobOwner, jobAcl, operationName);
}
/**
@@ -133,14 +133,15 @@ class ACLsManager {
* </ul>
*/
void checkAccess(JobStatus jobStatus, UserGroupInformation callerUGI,
- JobACL jobOperation) throws AccessControlException {
+ JobACL jobOperation, String operationName) throws AccessControlException {
String jobId = jobStatus.getJobID().toString();
String jobOwner = jobStatus.getUsername();
AccessControlList jobAcl = jobStatus.getJobACLs().get(jobOperation);
// If acls are enabled, check if jobOwner, cluster admin or part of job ACL
- checkAccess(jobId, callerUGI, jobOperation, jobOwner, jobAcl);
+ checkAccess(jobId, callerUGI, jobOperation, jobOwner, jobAcl,
+ operationName);
}
/**
@@ -153,10 +154,12 @@ class ACLsManager {
* </ul>
*/
void checkAccess(String jobId, UserGroupInformation callerUGI,
- JobACL jobOperation, String jobOwner, AccessControlList jobAcl)
+ JobACL jobOperation, String jobOwner, AccessControlList jobAcl,
+ String operationName)
throws AccessControlException {
// TODO: Queue admins are to be allowed to do the job view operation.
- checkAccess(jobId, callerUGI, null, null, jobOperation, jobOwner, jobAcl);
+ checkAccess(jobId, callerUGI, null, null, jobOperation, jobOwner, jobAcl,
+ operationName);
}
/**
@@ -178,7 +181,8 @@ class ACLsManager {
*/
void checkAccess(String jobId, UserGroupInformation callerUGI,
String queue, QueueOperation qOperation,
- JobACL jobOperation, String jobOwner, AccessControlList jobAcl)
+ JobACL jobOperation, String jobOwner, AccessControlList jobAcl,
+ String operationName)
throws AccessControlException {
if (!aclsEnabled) {
return;
@@ -190,9 +194,9 @@ class ACLsManager {
// any job operation
if (isMRAdmin(callerUGI)) {
if (qOperation == QueueOperation.SUBMIT_JOB) {
- AuditLogger.logSuccess(user, qOperation.name(), queue);
+ AuditLogger.logSuccess(user, operationName, queue);
} else {
- AuditLogger.logSuccess(user, jobOperation.name(), jobId);
+ AuditLogger.logSuccess(user, operationName, jobId);
}
return;
}
@@ -201,16 +205,16 @@ class ACLsManager {
// This is strictly queue operation(not a job operation) like
// submit-job-to-queue.
if (!queueManager.hasAccess(queue, qOperation, callerUGI)) {
- AuditLogger.logFailure(user, qOperation.name(), null, queue,
+ AuditLogger.logFailure(user, operationName, null, queue,
Constants.UNAUTHORIZED_USER + ", job : " + jobId);
throw new AccessControlException("User "
+ callerUGI.getShortUserName() + " cannot perform "
- + "operation " + qOperation + " on queue " + queue
+ + "operation " + operationName + " on queue " + queue
+ ".\n Please run \"hadoop queue -showacls\" "
+ "command to find the queues you have access to .");
} else {
- AuditLogger.logSuccess(user, qOperation.name(), queue);
+ AuditLogger.logSuccess(user, operationName, queue);
return;
}
}
@@ -219,41 +223,42 @@ class ACLsManager {
// check if jobOwner or part of acl-view-job
if (jobACLsManager.checkAccess(callerUGI, jobOperation,
jobOwner, jobAcl)) {
- AuditLogger.logSuccess(user, jobOperation.name(), jobId.toString());
+ AuditLogger.logSuccess(user, operationName, jobId.toString());
return;
}
else {
- AuditLogger.logFailure(user, jobOperation.name(), null,
+ AuditLogger.logFailure(user, operationName, null,
jobId.toString(), Constants.UNAUTHORIZED_USER);
throw new AccessControlException("User "
+ callerUGI.getShortUserName() + " cannot perform operation "
- + jobOperation + " on " + jobId);
+ + operationName + " on " + jobId);
}
}
if (jobOperation == JobACL.MODIFY_JOB) {
// check if queueAdmin, jobOwner or part of acl-modify-job
if (queueManager.hasAccess(queue, qOperation, callerUGI)) {
- AuditLogger.logSuccess(user, qOperation.name(), queue);
+ AuditLogger.logSuccess(user, operationName, queue);
return;
} else if (jobACLsManager.checkAccess(callerUGI, jobOperation,
jobOwner, jobAcl)) {
- AuditLogger.logSuccess(user, jobOperation.name(), jobId);
+ AuditLogger.logSuccess(user, operationName, jobId);
return;
}
- AuditLogger.logFailure(user, jobOperation.name(), null,
+ AuditLogger.logFailure(user, operationName, null,
jobId.toString(), Constants.UNAUTHORIZED_USER + ", queue : "
+ queue);
throw new AccessControlException("User "
+ callerUGI.getShortUserName() + " cannot perform operation "
- + jobOperation + " on " + jobId + " that is in the queue "
+ + operationName + " on " + jobId + " that is in the queue "
+ queue);
}
throw new AccessControlException("Unsupported queue operation "
+ qOperation + " on queue " + queue + ", job operation "
- + jobOperation + " on job " + jobId);
+ + jobOperation + " on job " + jobId + " and the actual-operation "
+ + operationName);
}
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/CompletedJobStatusStore.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/CompletedJobStatusStore.java?rev=1077451&r1=1077450&r2=1077451&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/CompletedJobStatusStore.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/CompletedJobStatusStore.java Fri Mar 4 04:16:22 2011
@@ -302,7 +302,8 @@ class CompletedJobStatusStore implements
JobStatus jobStatus = readJobStatus(dataIn);
// authorize the user for job view access
aclsManager.checkAccess(jobStatus,
- UserGroupInformation.getCurrentUser(), JobACL.VIEW_JOB);
+ UserGroupInformation.getCurrentUser(), JobACL.VIEW_JOB,
+ JobACL.VIEW_JOB.name());
readJobProfile(dataIn);
counters = readCounters(dataIn);
dataIn.close();
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JSPUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JSPUtil.java?rev=1077451&r1=1077450&r2=1077451&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JSPUtil.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JSPUtil.java Fri Mar 4 04:16:22 2011
@@ -110,7 +110,8 @@ class JSPUtil {
public Void run() throws IOException, ServletException {
// checks job view permission
- jt.getACLsManager().checkAccess(job, ugi, null, JobACL.VIEW_JOB);
+ jt.getACLsManager().checkAccess(job, ugi, null, JobACL.VIEW_JOB,
+ JobACL.VIEW_JOB.name());
return null;
}
});
@@ -489,7 +490,8 @@ class JSPUtil {
// Authorize the user for view access of this job
jobTracker.getACLsManager().checkAccess(jobid, currentUser, JobACL.VIEW_JOB,
- jobInfo.get(Keys.USER), jobInfo.getJobACLs().get(JobACL.VIEW_JOB));
+ jobInfo.get(Keys.USER), jobInfo.getJobACLs().get(JobACL.VIEW_JOB),
+ JobACL.VIEW_JOB.name());
return jobInfo;
}
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java?rev=1077451&r1=1077450&r2=1077451&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/JobTracker.java Fri Mar 4 04:16:22 2011
@@ -1693,7 +1693,8 @@ public class JobTracker implements MRCon
// check the access
try {
aclsManager.checkAccess(job, ugi,
- QueueManager.QueueOperation.SUBMIT_JOB, null);
+ QueueManager.QueueOperation.SUBMIT_JOB, null,
+ QueueManager.QueueOperation.SUBMIT_JOB.name());
} catch (Throwable t) {
LOG.warn("Access denied for user " + ugi.getShortUserName()
+ " in groups : ["
@@ -3675,7 +3676,8 @@ public class JobTracker implements MRCon
// check for access
try {
aclsManager.checkAccess(job, ugi,
- QueueManager.QueueOperation.SUBMIT_JOB, null);
+ QueueManager.QueueOperation.SUBMIT_JOB, null,
+ QueueManager.QueueOperation.SUBMIT_JOB.name());
} catch (IOException ioe) {
LOG.warn("Access denied for user " + job.getJobConf().getUser()
+ ". Ignoring job " + jobId, ioe);
@@ -3834,7 +3836,8 @@ public class JobTracker implements MRCon
// check both queue-level and job-level access
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(),
- QueueManager.QueueOperation.ADMINISTER_JOBS, JobACL.MODIFY_JOB);
+ QueueManager.QueueOperation.ADMINISTER_JOBS, JobACL.MODIFY_JOB,
+ "KILL_JOB");
killJob(job);
}
@@ -4040,7 +4043,8 @@ public class JobTracker implements MRCon
if (job != null) {
// check the job-access
- aclsManager.checkAccess(job, callerUGI, null, JobACL.VIEW_JOB);
+ aclsManager.checkAccess(job, callerUGI, null, JobACL.VIEW_JOB,
+ JobACL.VIEW_JOB.name());
return isJobInited(job) ? job.getCounters() : EMPTY_COUNTERS;
}
@@ -4057,7 +4061,7 @@ public class JobTracker implements MRCon
if (job != null) {
// Check authorization
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(), null,
- JobACL.VIEW_JOB);
+ JobACL.VIEW_JOB, JobACL.VIEW_JOB.name());
}
if (job == null || !isJobInited(job)) {
return EMPTY_TASK_REPORTS;
@@ -4085,7 +4089,7 @@ public class JobTracker implements MRCon
if (job != null) {
// Check authorization
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(), null,
- JobACL.VIEW_JOB);
+ JobACL.VIEW_JOB, JobACL.VIEW_JOB.name());
}
if (job == null || !isJobInited(job)) {
return EMPTY_TASK_REPORTS;
@@ -4111,7 +4115,7 @@ public class JobTracker implements MRCon
if (job != null) {
// Check authorization
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(), null,
- JobACL.VIEW_JOB);
+ JobACL.VIEW_JOB, JobACL.VIEW_JOB.name());
}
if (job == null || !isJobInited(job)) {
return EMPTY_TASK_REPORTS;
@@ -4140,7 +4144,7 @@ public class JobTracker implements MRCon
if (job != null) {
// Check authorization
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(), null,
- JobACL.VIEW_JOB);
+ JobACL.VIEW_JOB, JobACL.VIEW_JOB.name());
}
if (job == null || !isJobInited(job)) {
return EMPTY_TASK_REPORTS;
@@ -4207,7 +4211,7 @@ public class JobTracker implements MRCon
if (job != null) {
// Check authorization
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(), null,
- JobACL.VIEW_JOB);
+ JobACL.VIEW_JOB, JobACL.VIEW_JOB.name());
}
if (job != null && isJobInited(job)) {
TaskInProgress tip = job.getTaskInProgress(tipId);
@@ -4268,7 +4272,8 @@ public class JobTracker implements MRCon
// check both queue-level and job-level access
aclsManager.checkAccess(tip.getJob(),
UserGroupInformation.getCurrentUser(),
- QueueManager.QueueOperation.ADMINISTER_JOBS, JobACL.MODIFY_JOB);
+ QueueManager.QueueOperation.ADMINISTER_JOBS, JobACL.MODIFY_JOB,
+ shouldFail ? "FAIL_TASK" : "KILL_TASK");
return tip.killTask(taskid, shouldFail);
}
@@ -4340,7 +4345,8 @@ public class JobTracker implements MRCon
// check both queue-level and job-level access
aclsManager.checkAccess(job, UserGroupInformation.getCurrentUser(),
- QueueManager.QueueOperation.ADMINISTER_JOBS, JobACL.MODIFY_JOB);
+ QueueManager.QueueOperation.ADMINISTER_JOBS, JobACL.MODIFY_JOB,
+ "SET_JOB_PRIORITY");
synchronized (taskScheduler) {
JobStatus oldStatus = (JobStatus)job.getStatus().clone();
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java?rev=1077451&r1=1077450&r2=1077451&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/TaskLogServlet.java Fri Mar 4 04:16:22 2011
@@ -133,7 +133,7 @@ public class TaskLogServlet extends Http
UserGroupInformation.createRemoteUser(user);
tracker.getACLsManager().checkAccess(jobId, callerUGI, JobACL.VIEW_JOB,
- jobOwner, jobViewACL);
+ jobOwner, jobViewACL, JobACL.VIEW_JOB.name());
}
/**
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestQueueManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestQueueManager.java?rev=1077451&r1=1077450&r2=1077451&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestQueueManager.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestQueueManager.java Fri Mar 4 04:16:22 2011
@@ -655,7 +655,7 @@ public class TestQueueManager extends Te
} else {
LOG.info("exception while submitting/killing job: " + ioe.getMessage());
assertTrue(ioe.getMessage().
- contains(" cannot perform operation MODIFY_JOB on "));
+ contains(" cannot perform operation KILL_JOB on "));
}
} finally {
tearDownCluster();
@@ -690,7 +690,7 @@ public class TestQueueManager extends Te
LOG.info("exception while killing job: " + ioe.getMessage());
assertTrue(ioe.getMessage().
contains("cannot perform operation " +
- "ADMINISTER_JOBS on queue default"));
+ "KILL_JOB on queue default"));
}
//wait for job to complete on its own
while (!rjob.isComplete()) {
@@ -745,7 +745,7 @@ public class TestQueueManager extends Te
LOG.info("exception while changing priority of job: " +
ioe.getMessage());
assertTrue(ioe.getMessage().
- contains(" cannot perform operation MODIFY_JOB on "));
+ contains(" cannot perform operation SET_JOB_PRIORITY on "));
}
return null;
}