You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Shen Yinjie (JIRA)" <ji...@apache.org> on 2018/07/16 04:54:00 UTC

[jira] [Created] (YARN-8539) TimelineWebService#getUser from HttpServletRequest may be null

Shen Yinjie created YARN-8539:
---------------------------------

             Summary: TimelineWebService#getUser from HttpServletRequest may be null
                 Key: YARN-8539
                 URL: https://issues.apache.org/jira/browse/YARN-8539
             Project: Hadoop YARN
          Issue Type: Bug
          Components: timelineservice
            Reporter: Shen Yinjie


When we integrate tez-ui with timeline server and set yarn.acl.enabled=true. tez-ui will invoke the timeline rest ** interface(ws/v1/timeline/TEZ_DAG_ID) to get all dags . But tez-ui shows "no records available" .

after some digging, I find when tez-ui invoke ".../ws/v1/timeline/TEZ_DAG_ID". TimelineWebService#getUser(HttpServletRequest req) returns callerUgi = null

In TimelineACLsManager#checkAccess()
{code:java}
......
if (callerUGI != null
&& (adminAclsManager.isAdmin(callerUGI) ||
callerUGI.getShortUserName().equals(owner) ||
domainACL.isUserAllowed(callerUGI))) {
return true;
}
return false;
}
{code}
Finally, Tez ui get nothing because of couldn't pass this checkAccess().

I also refer to the similar code in RMWebServices

{code} protected Boolean hasAccess(RMApp app, HttpServletRequest hsr) {
 // Check for the authorization.
 UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
......
 if (callerUGI != null
 && !(this.rm.getApplicationACLsManager().checkAccess(callerUGI,
 ApplicationAccessType.VIEW_APP, app.getUser(),
 app.getApplicationId())
 || this.rm.getQueueACLsManager().checkAccess(callerUGI,
 QueueACL.ADMINISTER_QUEUE, app, hsr.getRemoteAddr(),
 forwardedAddresses))) {
 return false;
 }
 return true;
 }

{code}

 

when callerUgi= null, hasAcces() returns true.

So , I made a similar fix for TimelineWebServices.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org