You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Shen Yinjie (JIRA)" <ji...@apache.org> on 2018/07/16 04:54:00 UTC
[jira] [Created] (YARN-8539) TimelineWebService#getUser from
HttpServletRequest may be null
Shen Yinjie created YARN-8539:
---------------------------------
Summary: TimelineWebService#getUser from HttpServletRequest may be null
Key: YARN-8539
URL: https://issues.apache.org/jira/browse/YARN-8539
Project: Hadoop YARN
Issue Type: Bug
Components: timelineservice
Reporter: Shen Yinjie
When we integrate tez-ui with timeline server and set yarn.acl.enabled=true. tez-ui will invoke the timeline rest ** interface(ws/v1/timeline/TEZ_DAG_ID) to get all dags . But tez-ui shows "no records available" .
after some digging, I find when tez-ui invoke ".../ws/v1/timeline/TEZ_DAG_ID". TimelineWebService#getUser(HttpServletRequest req) returns callerUgi = null
In TimelineACLsManager#checkAccess()
{code:java}
......
if (callerUGI != null
&& (adminAclsManager.isAdmin(callerUGI) ||
callerUGI.getShortUserName().equals(owner) ||
domainACL.isUserAllowed(callerUGI))) {
return true;
}
return false;
}
{code}
Finally, Tez ui get nothing because of couldn't pass this checkAccess().
I also refer to the similar code in RMWebServices
{code} protected Boolean hasAccess(RMApp app, HttpServletRequest hsr) {
// Check for the authorization.
UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
......
if (callerUGI != null
&& !(this.rm.getApplicationACLsManager().checkAccess(callerUGI,
ApplicationAccessType.VIEW_APP, app.getUser(),
app.getApplicationId())
|| this.rm.getQueueACLsManager().checkAccess(callerUGI,
QueueACL.ADMINISTER_QUEUE, app, hsr.getRemoteAddr(),
forwardedAddresses))) {
return false;
}
return true;
}
{code}
when callerUgi= null, hasAcces() returns true.
So , I made a similar fix for TimelineWebServices.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org