hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "YunFan Zhou (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-6937) Admin cannot post entities when domain is not exists
Date Thu, 03 Aug 2017 07:40:00 GMT

     [ https://issues.apache.org/jira/browse/YARN-6937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

YunFan Zhou updated YARN-6937:
------------------------------
    Description: 
When I post entities to timeline server, and found that it throw the following exception:
{code:java}
org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager.checkAccess(TimelineACLsManager.java:123)
        at org.apache.hadoop.yarn.server.timeline.TimelineDataManager.postEntities(TimelineDataManager.java:273)
        at org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices.postEntities(TimelineWebServices.java:260)
        at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
        at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
{code}

In TimelineACLsManager#checkAccess logic:

{code:java}
  public boolean checkAccess(UserGroupInformation callerUGI,
      ApplicationAccessType applicationAccessType,
      TimelineEntity entity) throws YarnException, IOException {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Verifying the access of "
          + (callerUGI == null ? null : callerUGI.getShortUserName())
          + " on the timeline entity "
          + new EntityIdentifier(entity.getEntityId(), entity.getEntityType()));
    }

    if (!adminAclsManager.areACLsEnabled()) {
      return true;
    }

    // find domain owner and acls
    AccessControlListExt aclExt = aclExts.get(entity.getDomainId());
    if (aclExt == null) {
      aclExt = loadDomainFromTimelineStore(entity.getDomainId());
    }
    if (aclExt == null) {
      throw new YarnException("Domain information of the timeline entity "
          + new EntityIdentifier(entity.getEntityId(), entity.getEntityType())
          + " doesn't exist.");
    }

{code}

Even if you're an administrator,  but you have not any permissions to do this.
I think it's perfect to do follow-up checks though the value of *aclExt* is null:

{code:java}
    if (callerUGI != null
        && (adminAclsManager.isAdmin(callerUGI) ||
            callerUGI.getShortUserName().equals(owner) ||
            domainACL.isUserAllowed(callerUGI))) {
      return true;
    }
    return false;
{code}

Any suggestions?


  was:
When I post entities to timeline server, and found that it throw the following exception:
{code:java}
org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager.checkAccess(TimelineACLsManager.java:123)
        at org.apache.hadoop.yarn.server.timeline.TimelineDataManager.postEntities(TimelineDataManager.java:273)
        at org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices.postEntities(TimelineWebServices.java:260)
        at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
        at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
{code}

In TimelineACLsManager#checkAccess logic:




> Admin cannot post entities when domain is not exists
> ----------------------------------------------------
>
>                 Key: YARN-6937
>                 URL: https://issues.apache.org/jira/browse/YARN-6937
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: YunFan Zhou
>
> When I post entities to timeline server, and found that it throw the following exception:
> {code:java}
> org.apache.hadoop.yarn.server.timeline.security.TimelineACLsManager.checkAccess(TimelineACLsManager.java:123)
>         at org.apache.hadoop.yarn.server.timeline.TimelineDataManager.postEntities(TimelineDataManager.java:273)
>         at org.apache.hadoop.yarn.server.timeline.webapp.TimelineWebServices.postEntities(TimelineWebServices.java:260)
>         at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>         at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> {code}
> In TimelineACLsManager#checkAccess logic:
> {code:java}
>   public boolean checkAccess(UserGroupInformation callerUGI,
>       ApplicationAccessType applicationAccessType,
>       TimelineEntity entity) throws YarnException, IOException {
>     if (LOG.isDebugEnabled()) {
>       LOG.debug("Verifying the access of "
>           + (callerUGI == null ? null : callerUGI.getShortUserName())
>           + " on the timeline entity "
>           + new EntityIdentifier(entity.getEntityId(), entity.getEntityType()));
>     }
>     if (!adminAclsManager.areACLsEnabled()) {
>       return true;
>     }
>     // find domain owner and acls
>     AccessControlListExt aclExt = aclExts.get(entity.getDomainId());
>     if (aclExt == null) {
>       aclExt = loadDomainFromTimelineStore(entity.getDomainId());
>     }
>     if (aclExt == null) {
>       throw new YarnException("Domain information of the timeline entity "
>           + new EntityIdentifier(entity.getEntityId(), entity.getEntityType())
>           + " doesn't exist.");
>     }
> {code}
> Even if you're an administrator,  but you have not any permissions to do this.
> I think it's perfect to do follow-up checks though the value of *aclExt* is null:
> {code:java}
>     if (callerUGI != null
>         && (adminAclsManager.isAdmin(callerUGI) ||
>             callerUGI.getShortUserName().equals(owner) ||
>             domainACL.isUserAllowed(callerUGI))) {
>       return true;
>     }
>     return false;
> {code}
> Any suggestions?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message