tez-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hit...@apache.org
Subject git commit: TEZ-1458. org.apache.tez.common.security.Groups does not compile against hadoop-2.2.0 anymore. (hitesh)
Date Wed, 20 Aug 2014 00:08:30 GMT
Repository: tez
Updated Branches:
  refs/heads/master d1d94c2f4 -> fbca9f4c0


TEZ-1458. org.apache.tez.common.security.Groups does not compile against hadoop-2.2.0 anymore. (hitesh)


Project: http://git-wip-us.apache.org/repos/asf/tez/repo
Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/fbca9f4c
Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/fbca9f4c
Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/fbca9f4c

Branch: refs/heads/master
Commit: fbca9f4c0aaef1c9d7b4ab6942f69057882c4c19
Parents: d1d94c2
Author: Hitesh Shah <hitesh@apache.org>
Authored: Tue Aug 19 17:07:43 2014 -0700
Committer: Hitesh Shah <hitesh@apache.org>
Committed: Tue Aug 19 17:07:43 2014 -0700

----------------------------------------------------------------------
 .../org/apache/tez/client/TezClientUtils.java   |   5 +-
 .../org/apache/tez/common/TezCommonUtils.java   |  14 +
 .../apache/tez/common/security/ACLManager.java  |  51 ++-
 .../org/apache/tez/common/security/Groups.java  | 281 ----------------
 .../apache/tez/common/TestTezCommonUtils.java   |   9 +
 .../tez/common/security/TestACLManager.java     | 334 ++++++++-----------
 ...DAGClientAMProtocolBlockingPBServerImpl.java |  24 +-
 .../org/apache/tez/dag/app/DAGAppMaster.java    |   5 +-
 .../tez/dag/app/dag/impl/TestDAGImpl.java       |   3 +-
 .../org/apache/tez/test/TestSecureShuffle.java  |   4 +-
 10 files changed, 214 insertions(+), 516 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-api/src/main/java/org/apache/tez/client/TezClientUtils.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/client/TezClientUtils.java b/tez-api/src/main/java/org/apache/tez/client/TezClientUtils.java
index fdff508..566a2d8 100644
--- a/tez-api/src/main/java/org/apache/tez/client/TezClientUtils.java
+++ b/tez-api/src/main/java/org/apache/tez/client/TezClientUtils.java
@@ -78,7 +78,6 @@ import org.apache.log4j.Level;
 import org.apache.tez.common.TezCommonUtils;
 import org.apache.tez.common.TezYARNUtils;
 import org.apache.tez.common.security.ACLManager;
-import org.apache.tez.common.security.Groups;
 import org.apache.tez.common.security.JobTokenIdentifier;
 import org.apache.tez.common.security.JobTokenSecretManager;
 import org.apache.tez.common.security.TokenCache;
@@ -576,9 +575,7 @@ public class TezClientUtils {
       sessionJarsPBLRsrc);
 
     String user = UserGroupInformation.getCurrentUser().getShortUserName();
-
-    Groups groups = null;
-    ACLManager aclManager = new ACLManager(groups, user, finalTezConf);
+    ACLManager aclManager = new ACLManager(user, finalTezConf);
     Map<ApplicationAccessType, String> acls = aclManager.toYARNACls();
 
     if(dag != null) {

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-api/src/main/java/org/apache/tez/common/TezCommonUtils.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/TezCommonUtils.java b/tez-api/src/main/java/org/apache/tez/common/TezCommonUtils.java
index d11baf2..15878c3 100644
--- a/tez-api/src/main/java/org/apache/tez/common/TezCommonUtils.java
+++ b/tez-api/src/main/java/org/apache/tez/common/TezCommonUtils.java
@@ -19,6 +19,10 @@
 package org.apache.tez.common;
 
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.StringTokenizer;
 import java.util.zip.Deflater;
 import java.util.zip.DeflaterOutputStream;
 import java.util.zip.InflaterInputStream;
@@ -324,4 +328,14 @@ public class TezCommonUtils {
     }
   }
 
+  public static Collection<String> tokenizeString(String str, String delim) {
+    List<String> values = new ArrayList<String>();
+    if (str == null || str.isEmpty())
+      return values;
+    StringTokenizer tokenizer = new StringTokenizer(str, delim);
+    while (tokenizer.hasMoreTokens()) {
+      values.add(tokenizer.nextToken());
+    }
+    return values;
+  }
 }

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
index 3146687..d8be327 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
@@ -18,7 +18,6 @@
 
 package org.apache.tez.common.security;
 
-import java.io.IOException;
 import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -49,15 +48,13 @@ public class ACLManager {
   private final String amUser;
   private final Map<ACLType, Set<String>> users;
   private final Map<ACLType, Set<String>> groups;
-  private final Groups userGroupMapping;
   private final boolean aclsEnabled;
 
-  public ACLManager(Groups userGroupMapping, String amUser) {
-    this(userGroupMapping, amUser, new Configuration(false));
+  public ACLManager(String amUser) {
+    this(amUser, new Configuration(false));
   }
 
-  public ACLManager(Groups userGroupMapping, String amUser, Configuration conf) {
-    this.userGroupMapping = userGroupMapping;
+  public ACLManager(String amUser, Configuration conf) {
     this.amUser = amUser;
     this.dagUser = null;
     this.users = new HashMap<ACLType, Set<String>>();
@@ -77,7 +74,6 @@ public class ACLManager {
   }
 
   public ACLManager(ACLManager amACLManager, String dagUser, Configuration dagConf) {
-    this.userGroupMapping = amACLManager.userGroupMapping;
     this.amUser = amACLManager.amUser;
     this.dagUser = dagUser;
     this.users = amACLManager.users;
@@ -96,7 +92,7 @@ public class ACLManager {
   }
 
   @VisibleForTesting
-  boolean checkAccess(String user, ACLType aclType) {
+  boolean checkAccess(String user, Collection<String> userGroups, ACLType aclType) {
     if (!aclsEnabled) {
       return true;
     }
@@ -119,41 +115,36 @@ public class ACLManager {
         }
       }
     }
-    if (groups != null && !groups.isEmpty()) {
-      try {
-        Set<String> set = groups.get(aclType);
-        if (set != null) {
-          Set<String> userGrps = userGroupMapping.getGroups(user);
-          for (String userGrp : userGrps) {
-            if (set.contains(userGrp)) {
-              return true;
-            }
+    if (userGroups != null && !userGroups.isEmpty()
+        && groups != null && !groups.isEmpty()) {
+      Set<String> set = groups.get(aclType);
+      if (set != null) {
+        for (String userGrp : userGroups) {
+          if (set.contains(userGrp)) {
+            return true;
           }
         }
-      } catch (IOException e) {
-        LOG.warn("Failed to retrieve groups for user"
-            + ", user=" + user, e);
       }
     }
     return false;
   }
 
-  public boolean checkAMViewAccess(String user) {
-    return checkAccess(user, ACLType.AM_VIEW_ACL);
+  public boolean checkAMViewAccess(String user, Collection<String> userGroups) {
+    return checkAccess(user, userGroups, ACLType.AM_VIEW_ACL);
   }
 
-  public boolean checkAMModifyAccess(String user) {
-    return checkAccess(user, ACLType.AM_MODIFY_ACL);
+  public boolean checkAMModifyAccess(String user, Collection<String> userGroups) {
+    return checkAccess(user, userGroups, ACLType.AM_MODIFY_ACL);
   }
 
-  public boolean checkDAGViewAccess(String user) {
-    return checkAccess(user, ACLType.AM_VIEW_ACL)
-        || checkAccess(user, ACLType.DAG_VIEW_ACL);
+  public boolean checkDAGViewAccess(String user, Collection<String> userGroups) {
+    return checkAccess(user, userGroups, ACLType.AM_VIEW_ACL)
+        || checkAccess(user, userGroups, ACLType.DAG_VIEW_ACL);
   }
 
-  public boolean checkDAGModifyAccess(String user) {
-    return checkAccess(user, ACLType.AM_MODIFY_ACL)
-        || checkAccess(user, ACLType.DAG_MODIFY_ACL);
+  public boolean checkDAGModifyAccess(String user, Collection<String> userGroups) {
+    return checkAccess(user, userGroups, ACLType.AM_MODIFY_ACL)
+        || checkAccess(user, userGroups, ACLType.DAG_MODIFY_ACL);
   }
 
   public Map<ApplicationAccessType, String> toYARNACls() {

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-api/src/main/java/org/apache/tez/common/security/Groups.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/Groups.java b/tez-api/src/main/java/org/apache/tez/common/security/Groups.java
deleted file mode 100644
index ce6f1dd..0000000
--- a/tez-api/src/main/java/org/apache/tez/common/security/Groups.java
+++ /dev/null
@@ -1,281 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tez.common.security;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
-
-import org.apache.hadoop.HadoopIllegalArgumentException;
-import org.apache.hadoop.classification.InterfaceAudience.Private;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.security.GroupMappingServiceProvider;
-import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
-import org.apache.hadoop.util.ReflectionUtils;
-import org.apache.hadoop.util.StringUtils;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.tez.dag.api.TezUncheckedException;
-
-import com.google.common.collect.Sets;
-
-/**
- * A user-to-groups mapping service.
- *
- * {@link Groups} allows for server to get the various group memberships
- * of a given user via the {@link #getGroups(String)} call, thus ensuring
- * a consistent user-to-groups mapping and protects against vagaries of
- * different mappings on servers and clients in a Hadoop cluster.
- */
-@Private
-public class Groups {
-  private static final Log LOG = LogFactory.getLog(Groups.class);
-
-  private final GroupMappingServiceProvider impl;
-
-  private final Map<String, CachedGroups> userToGroupsMap =
-      new ConcurrentHashMap<String, CachedGroups>();
-  private final Map<String, Set<String>> staticUserToGroupsMap =
-      new HashMap<String, Set<String>>();
-  private final long cacheTimeout;
-  private final long warningDeltaMs;
-
-  public Groups(Configuration conf) {
-    impl =
-        ReflectionUtils.newInstance(
-            conf.getClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
-                ShellBasedUnixGroupsMapping.class,
-                GroupMappingServiceProvider.class),
-            conf);
-
-    cacheTimeout =
-        conf.getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS,
-            CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS_DEFAULT) * 1000;
-    warningDeltaMs =
-        conf.getLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_WARN_AFTER_MS,
-            CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_WARN_AFTER_MS_DEFAULT);
-    parseStaticMapping(conf);
-
-    if (cacheTimeout < 0 || warningDeltaMs <= 0) {
-      String message = "Invalid values for configuring Groups cache"
-          + ", cacheTimeout=" + cacheTimeout
-          + ", warningDeltaTimeMs=" + warningDeltaMs;
-      LOG.warn(message);
-      throw new TezUncheckedException(message);
-    }
-
-    if(LOG.isDebugEnabled())
-      LOG.debug("Group mapping impl=" + impl.getClass().getName() +
-          "; cacheTimeout=" + cacheTimeout + "; warningDeltaMs=" +
-          warningDeltaMs);
-  }
-
-  /*
-   * Parse the hadoop.user.group.static.mapping.overrides configuration to
-   * staticUserToGroupsMap
-   */
-  private void parseStaticMapping(Configuration conf) {
-    String staticMapping = conf.get(
-        CommonConfigurationKeys.HADOOP_USER_GROUP_STATIC_OVERRIDES,
-        CommonConfigurationKeys.HADOOP_USER_GROUP_STATIC_OVERRIDES_DEFAULT);
-    Collection<String> mappings = StringUtils.getStringCollection(
-        staticMapping, ";");
-    for (String users : mappings) {
-      Collection<String> userToGroups = StringUtils.getStringCollection(users,
-          "=");
-      if (userToGroups.size() < 1 || userToGroups.size() > 2) {
-        throw new HadoopIllegalArgumentException("Configuration "
-            + CommonConfigurationKeys.HADOOP_USER_GROUP_STATIC_OVERRIDES
-            + " is invalid");
-      }
-      String[] userToGroupsArray = userToGroups.toArray(new String[userToGroups
-          .size()]);
-      String user = userToGroupsArray[0];
-      Set<String> groups = Sets.newHashSet();
-      if (userToGroupsArray.length == 2) {
-        groups.addAll(StringUtils.getStringCollection(userToGroupsArray[1]));
-      }
-      staticUserToGroupsMap.put(user, groups);
-    }
-  }
-
-  /**
-   * Determine whether the CachedGroups is expired.
-   * @param groups cached groups for one user.
-   * @return true if groups is expired from useToGroupsMap.
-   */
-  private boolean hasExpired(CachedGroups groups, long startMs) {
-    if (groups == null) {
-      return true;
-    }
-    long timeout = cacheTimeout;
-    return groups.getTimestamp() + timeout <= startMs;
-  }
-
-  /**
-   * Get the group memberships of a given user.
-   * @param user User's name
-   * @return the group memberships of the user
-   * @throws IOException
-   */
-  public Set<String> getGroups(String user) throws IOException {
-    // No need to lookup for groups of static users
-    Set<String> staticMapping = staticUserToGroupsMap.get(user);
-    if (staticMapping != null) {
-      return staticMapping;
-    }
-    // Return cached value if available
-    CachedGroups groups = userToGroupsMap.get(user);
-    long startMs = System.currentTimeMillis();
-    if (!hasExpired(groups, startMs)) {
-      if(LOG.isDebugEnabled()) {
-        LOG.debug("Returning cached groups for '" + user + "'");
-      }
-      if (groups.getGroups().isEmpty()) {
-        // Even with enabling negative cache, getGroups() has the same behavior
-        // that throws IOException if the groups for the user is empty.
-        throw new IOException("No groups found for user " + user);
-      }
-      return groups.getGroups();
-    }
-
-    // Create and cache user's groups
-    Set<String> groupList = Sets.newHashSet();
-    groupList.addAll(impl.getGroups(user));
-    long endMs = System.currentTimeMillis();
-    long deltaMs = endMs - startMs;
-    if (deltaMs > warningDeltaMs) {
-      LOG.warn("Potential performance problem: getGroups(user=" + user +") " +
-          "took " + deltaMs + " milliseconds.");
-    }
-    groups = new CachedGroups(groupList, endMs);
-    if (groups.getGroups().isEmpty()) {
-      throw new IOException("No groups found for user " + user);
-    }
-    userToGroupsMap.put(user, groups);
-    if(LOG.isDebugEnabled()) {
-      LOG.debug("Returning fetched groups for '" + user + "'");
-    }
-    return groups.getGroups();
-  }
-
-  /**
-   * Refresh all user-to-groups mappings.
-   */
-  public void refresh() {
-    LOG.info("clearing userToGroupsMap cache");
-    try {
-      impl.cacheGroupsRefresh();
-    } catch (IOException e) {
-      LOG.warn("Error refreshing groups cache", e);
-    }
-    userToGroupsMap.clear();
-  }
-
-  /**
-   * Add groups to cache
-   *
-   * @param groups list of groups to add to cache
-   */
-  public void cacheGroupsAdd(List<String> groups) {
-    try {
-      impl.cacheGroupsAdd(groups);
-    } catch (IOException e) {
-      LOG.warn("Error caching groups", e);
-    }
-  }
-
-  /**
-   * Class to hold the cached groups
-   */
-  private static class CachedGroups {
-    final long timestamp;
-    final Set<String> groups;
-
-    /**
-     * Create and initialize group cache
-     */
-    CachedGroups(Set<String> groups, long timestamp) {
-      this.groups = groups;
-      this.timestamp = timestamp;
-    }
-
-    /**
-     * Returns time of last cache update
-     *
-     * @return time of last cache update
-     */
-    public long getTimestamp() {
-      return timestamp;
-    }
-
-    /**
-     * Get set of cached groups
-     *
-     * @return cached groups
-     */
-    public Set<String> getGroups() {
-      return groups;
-    }
-  }
-
-  private static Groups GROUPS = null;
-
-  /**
-   * Get the groups being used to map user-to-groups.
-   * @return the groups being used to map user-to-groups.
-   */
-  public static Groups getUserToGroupsMappingService() {
-    return getUserToGroupsMappingService(new Configuration());
-  }
-
-  /**
-   * Get the groups being used to map user-to-groups.
-   * @param conf
-   * @return the groups being used to map user-to-groups.
-   */
-  public static synchronized Groups getUserToGroupsMappingService(
-      Configuration conf) {
-
-    if(GROUPS == null) {
-      if(LOG.isDebugEnabled()) {
-        LOG.debug(" Creating new Groups object");
-      }
-      GROUPS = new Groups(conf);
-    }
-    return GROUPS;
-  }
-
-  /**
-   * Create new groups used to map user-to-groups with loaded configuration.
-   * @param conf
-   * @return the groups being used to map user-to-groups.
-   */
-  public static synchronized Groups getUserToGroupsMappingServiceWithLoadedConfiguration(
-      Configuration conf) {
-
-    GROUPS = new Groups(conf);
-    return GROUPS;
-  }
-}

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-api/src/test/java/org/apache/tez/common/TestTezCommonUtils.java
----------------------------------------------------------------------
diff --git a/tez-api/src/test/java/org/apache/tez/common/TestTezCommonUtils.java b/tez-api/src/test/java/org/apache/tez/common/TestTezCommonUtils.java
index d078e8f..27f798d 100644
--- a/tez-api/src/test/java/org/apache/tez/common/TestTezCommonUtils.java
+++ b/tez-api/src/test/java/org/apache/tez/common/TestTezCommonUtils.java
@@ -232,4 +232,13 @@ public class TestTezCommonUtils {
     TestTezClientUtils.testLocalResourceVisibility(dfsCluster.getFileSystem(), conf);
   }
 
+  @Test
+  public void testStringTokenize() {
+    String s = "foo:bar:xyz::too";
+    String[] expectedTokens = { "foo", "bar" , "xyz" , "too"};
+    String[] tokens = new String[4];
+    TezCommonUtils.tokenizeString(s, ":").toArray(tokens);
+    Assert.assertArrayEquals(expectedTokens, tokens);
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
index cc7260c..7ad4ede 100644
--- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
+++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
@@ -18,10 +18,6 @@
 
 package org.apache.tez.common.security;
 
-import static org.mockito.Matchers.eq;
-import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.mock;
-
 import java.io.IOException;
 import java.util.Map;
 import java.util.Set;
@@ -37,45 +33,45 @@ import com.google.common.collect.Sets;
 
 public class TestACLManager {
 
+  private static final Set<String> noGroups = Sets.newHashSet();
+
   @Test
   public void testCurrentUserACLChecks() {
-    Groups groups = null;
     String currentUser = "currentUser";
-    ACLManager aclManager = new ACLManager(groups, currentUser);
+    ACLManager aclManager = new ACLManager(currentUser);
 
     String user = "user1";
-    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
 
     user = currentUser;
-    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
 
-    aclManager = new ACLManager(groups, currentUser, new Configuration(false));
+    aclManager = new ACLManager(currentUser, new Configuration(false));
 
     user = "user1";
-    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
 
     user = currentUser;
-    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
 
     String dagUser = "dagUser";
     ACLManager dagAclManager = new ACLManager(aclManager, dagUser, new Configuration(false));
     user = dagUser;
-    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL));
-    Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(dagAclManager.checkAccess(user, null, ACLType.DAG_VIEW_ACL));
+    Assert.assertTrue(dagAclManager.checkAccess(user, null, ACLType.DAG_MODIFY_ACL));
     user = "user1";
-    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL));
-    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.DAG_VIEW_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.DAG_MODIFY_ACL));
   }
 
   @Test
   public void testOtherUserACLChecks() throws IOException {
-    Groups groups = mock(Groups.class);
     Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
     Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
     Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
@@ -88,13 +84,6 @@ public class TestACLManager {
     String user5 = "user5"; // belongs to grp5 and grp6
     String user6 = "user6";
 
-    doReturn(groups1).when(groups).getGroups(eq(user1));
-    doReturn(groups2).when(groups).getGroups(eq(user2));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user3);
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user4);
-    doReturn(groups3).when(groups).getGroups(eq(user5));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user6);
-
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4, grp3, grp4.
     String viewACLs = user1 + "," + user4
@@ -104,28 +93,27 @@ public class TestACLManager {
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(groups, currentUser, conf);
-
-    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL));
-
-    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL));
+    ACLManager aclManager = new ACLManager(currentUser, conf);
+
+    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user1, groups1, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user2, groups2, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user3, noGroups, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user4, noGroups, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_VIEW_ACL));
+
+    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user1, groups1, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user3, noGroups, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user4, noGroups, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user5, groups3, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_MODIFY_ACL));
   }
 
   @Test
   public void testNoGroupsACLChecks() throws IOException {
-    Groups groups = mock(Groups.class);
     Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
     Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
     Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
@@ -138,13 +126,6 @@ public class TestACLManager {
     String user5 = "user5"; // belongs to grp5 and grp6
     String user6 = "user6";
 
-    doReturn(groups1).when(groups).getGroups(eq(user1));
-    doReturn(groups2).when(groups).getGroups(eq(user2));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user3);
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user4);
-    doReturn(groups3).when(groups).getGroups(eq(user5));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user6);
-
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4
     String viewACLs = user1 + "," + user4 + " ";
@@ -153,27 +134,26 @@ public class TestACLManager {
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(groups, currentUser, conf);
-    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL));
-
-    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL));
+    ACLManager aclManager = new ACLManager(currentUser, conf);
+    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user1, groups1, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user3, noGroups, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user4, noGroups, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_VIEW_ACL));
+
+    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user1, groups1, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user3, noGroups, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user4, noGroups, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_MODIFY_ACL));
   }
 
   @Test
   public void checkAMACLs() throws IOException {
-    Groups groups = mock(Groups.class);
     Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
     Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
     Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
@@ -186,13 +166,6 @@ public class TestACLManager {
     String user5 = "user5"; // belongs to grp5 and grp6
     String user6 = "user6";
 
-    doReturn(groups1).when(groups).getGroups(eq(user1));
-    doReturn(groups2).when(groups).getGroups(eq(user2));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user3);
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user4);
-    doReturn(groups3).when(groups).getGroups(eq(user5));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user6);
-
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4, grp3, grp4.
     String viewACLs = "user1,user4,,   grp3,grp4  ";
@@ -201,45 +174,44 @@ public class TestACLManager {
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(groups, currentUser, conf);
-
-    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user1));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user2));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user3));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user4));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user5));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user6));
-
-    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user1));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user2));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user3));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user4));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user5));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user6));
-
-    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user1));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user2));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user3));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user4));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user5));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user6));
-
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user6));
+    ACLManager aclManager = new ACLManager(currentUser, conf);
+
+    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser, null));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user1, groups1));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user2, groups2));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user3, noGroups));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user4, noGroups));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user5, groups3));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user6, noGroups));
+
+    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser, null));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user1, groups1));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user2, groups2));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user3, noGroups));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user4, noGroups));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user5, groups3));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user6, noGroups));
+
+    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser, null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user1, groups1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user2, groups2));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user3, noGroups));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user4, noGroups));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user5, groups3));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user6, noGroups));
+
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser, null));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1, groups1));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2, groups2));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3, noGroups));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4, noGroups));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5, groups3));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user6, noGroups));
 
   }
 
   @Test
   public void checkDAGACLs() throws IOException {
-    Groups groups = mock(Groups.class);
     Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
     Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
     Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
@@ -252,13 +224,6 @@ public class TestACLManager {
     String user5 = "user5"; // belongs to grp5 and grp6
     String user6 = "user6";
 
-    doReturn(groups1).when(groups).getGroups(eq(user1));
-    doReturn(groups2).when(groups).getGroups(eq(user2));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user3);
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user4);
-    doReturn(groups3).when(groups).getGroups(eq(user5));
-    doReturn(Sets.newHashSet()).when(groups).getGroups(user6);
-
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4, grp3, grp4.
     String viewACLs = "user1,user4,,   grp3,grp4  ";
@@ -276,106 +241,103 @@ public class TestACLManager {
 
     String dagUser = "dagUser";
 
-    ACLManager amAclManager = new ACLManager(groups, currentUser, conf);
+    ACLManager amAclManager = new ACLManager(currentUser, conf);
     ACLManager aclManager = new ACLManager(amAclManager, dagUser, conf);
 
-    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser));
-    Assert.assertFalse(aclManager.checkAMViewAccess(dagUser));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user1));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user2));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user3));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user4));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user5));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user6));
-
-    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user1));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user2));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user3));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user4));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user5));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user6));
-
-    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user1));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user2));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user3));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user4));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user5));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user6));
-
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user6));
+    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser, null));
+    Assert.assertFalse(aclManager.checkAMViewAccess(dagUser, null));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user1, groups1));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user2, groups2));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user3, noGroups));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user4, noGroups));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user5, groups3));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user6, noGroups));
+
+    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser, null));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser, null));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user1, groups1));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user2, groups2));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user3, noGroups));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user4, noGroups));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user5, groups3));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user6, noGroups));
+
+    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser, null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser, null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user1, groups1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user2, groups2));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user3, noGroups));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user4, noGroups));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user5, groups3));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user6, noGroups));
+
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser, null));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser, null));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1, groups1));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2, groups2));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3, noGroups));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4, noGroups));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5, groups3));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user6, noGroups));
 
   }
 
   @Test
   public void testWildCardCheck() {
-    Groups groups = mock(Groups.class);
     Configuration conf = new Configuration(false);
     String viewACLs = "   *  ";
     String modifyACLs = "   * ";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(groups, "a1", conf);
-    Assert.assertTrue(aclManager.checkAMViewAccess("a1"));
-    Assert.assertTrue(aclManager.checkAMViewAccess("u1"));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("a1"));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("u1"));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("a1"));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("u1"));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("a1"));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("u1"));
+    ACLManager aclManager = new ACLManager("a1", conf);
+    Assert.assertTrue(aclManager.checkAMViewAccess("a1", null));
+    Assert.assertTrue(aclManager.checkAMViewAccess("u1", null));
+    Assert.assertTrue(aclManager.checkAMModifyAccess("a1", null));
+    Assert.assertTrue(aclManager.checkAMModifyAccess("u1", null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess("a1", null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess("u1", null));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess("a1", null));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess("u1", null));
   }
 
   @Test
   public void testACLsDisabled() {
-    Groups groups = mock(Groups.class);
     Configuration conf = new Configuration(false);
     conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false);
     String viewACLs = "a2,u2  ";
     String modifyACLs = "a2,u2 ";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
-    ACLManager aclManager = new ACLManager(groups, "a1", conf);
-    Assert.assertTrue(aclManager.checkAMViewAccess("a1"));
-    Assert.assertTrue(aclManager.checkAMViewAccess("u1"));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("a1"));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("u1"));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("a1"));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("u1"));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("a1"));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("u1"));
+    ACLManager aclManager = new ACLManager("a1", conf);
+    Assert.assertTrue(aclManager.checkAMViewAccess("a1", null));
+    Assert.assertTrue(aclManager.checkAMViewAccess("u1", null));
+    Assert.assertTrue(aclManager.checkAMModifyAccess("a1", null));
+    Assert.assertTrue(aclManager.checkAMModifyAccess("u1", null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess("a1", null));
+    Assert.assertTrue(aclManager.checkDAGViewAccess("u1", null));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess("a1", null));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess("u1", null));
 
     ACLManager dagAclManager = new ACLManager(aclManager, "dagUser", null);
-    Assert.assertTrue(dagAclManager.checkAMViewAccess("a1"));
-    Assert.assertTrue(dagAclManager.checkAMViewAccess("u1"));
-    Assert.assertTrue(dagAclManager.checkAMModifyAccess("a1"));
-    Assert.assertTrue(dagAclManager.checkAMModifyAccess("u1"));
-    Assert.assertTrue(dagAclManager.checkDAGViewAccess("a1"));
-    Assert.assertTrue(dagAclManager.checkDAGViewAccess("u1"));
-    Assert.assertTrue(dagAclManager.checkDAGModifyAccess("a1"));
-    Assert.assertTrue(dagAclManager.checkDAGModifyAccess("u1"));
+    Assert.assertTrue(dagAclManager.checkAMViewAccess("a1", null));
+    Assert.assertTrue(dagAclManager.checkAMViewAccess("u1", null));
+    Assert.assertTrue(dagAclManager.checkAMModifyAccess("a1", null));
+    Assert.assertTrue(dagAclManager.checkAMModifyAccess("u1", null));
+    Assert.assertTrue(dagAclManager.checkDAGViewAccess("a1", null));
+    Assert.assertTrue(dagAclManager.checkDAGViewAccess("u1", null));
+    Assert.assertTrue(dagAclManager.checkDAGModifyAccess("a1", null));
+    Assert.assertTrue(dagAclManager.checkDAGModifyAccess("u1", null));
   }
 
   @Test
   public void testConvertToYARNACLs() {
-    Groups groups = mock(Groups.class);
     String currentUser = "c1";
     Configuration conf = new Configuration(false);
     String viewACLs = "user1,user4,,   grp3,grp4  ";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, "   * ");
-    ACLManager aclManager = new ACLManager(groups, currentUser, conf);
+    ACLManager aclManager = new ACLManager(currentUser, conf);
 
     Map<ApplicationAccessType, String> yarnAcls = aclManager.toYARNACls();
     Assert.assertTrue(yarnAcls.containsKey(ApplicationAccessType.VIEW_APP));
@@ -387,7 +349,7 @@ public class TestACLManager {
 
     viewACLs = "   grp3,grp4  ";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
-    ACLManager aclManager1 = new ACLManager(groups, currentUser, conf);
+    ACLManager aclManager1 = new ACLManager(currentUser, conf);
     yarnAcls = aclManager1.toYARNACls();
     Assert.assertEquals("c1 grp3,grp4",
         yarnAcls.get(ApplicationAccessType.VIEW_APP));

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java b/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
index 3a32b7f..6381b71 100644
--- a/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
+++ b/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
@@ -20,8 +20,10 @@ package org.apache.tez.dag.api.client.rpc;
 
 import java.io.IOException;
 import java.security.AccessControlException;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.api.records.LocalResource;
@@ -68,11 +70,19 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
     }
   }
 
+  private List<String> getRPCUserGroups() throws ServiceException {
+    try {
+      return Arrays.asList(UserGroupInformation.getCurrentUser().getGroupNames());
+    } catch (IOException e) {
+      throw wrapException(e);
+    }
+  }
+
   @Override
   public GetAllDAGsResponseProto getAllDAGs(RpcController controller,
       GetAllDAGsRequestProto request) throws ServiceException {
     String user = getRPCUserName();
-    if (!real.getACLManager().checkAMViewAccess(user)) {
+    if (!real.getACLManager().checkAMViewAccess(user, getRPCUserGroups())) {
       throw new AccessControlException("User " + user + " cannot perform AM view operation");
     }
     try{
@@ -89,7 +99,7 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
     String user = getRPCUserName();
     try {
       String dagId = request.getDagId();
-      if (!real.getACLManager(dagId).checkDAGViewAccess(user)) {
+      if (!real.getACLManager(dagId).checkDAGViewAccess(user, getRPCUserGroups())) {
         throw new AccessControlException("User " + user + " cannot perform DAG view operation");
       }
       DAGStatus status;
@@ -111,7 +121,7 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
     String user = getRPCUserName();
     try {
       String dagId = request.getDagId();
-      if (!real.getACLManager(dagId).checkDAGViewAccess(user)) {
+      if (!real.getACLManager(dagId).checkDAGViewAccess(user, getRPCUserGroups())) {
         throw new AccessControlException("User " + user + " cannot perform DAG view operation");
       }
       String vertexName = request.getVertexName();
@@ -133,7 +143,7 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
     String user = getRPCUserName();
     try {
       String dagId = request.getDagId();
-      if (!real.getACLManager(dagId).checkDAGModifyAccess(user)) {
+      if (!real.getACLManager(dagId).checkDAGModifyAccess(user, getRPCUserGroups())) {
         throw new AccessControlException("User " + user + " cannot perform DAG modify operation");
       }
       real.tryKillDAG(dagId);
@@ -147,7 +157,7 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   public SubmitDAGResponseProto submitDAG(RpcController controller,
       SubmitDAGRequestProto request) throws ServiceException {
     String user = getRPCUserName();
-    if (!real.getACLManager().checkAMModifyAccess(user)) {
+    if (!real.getACLManager().checkAMModifyAccess(user, getRPCUserGroups())) {
       throw new AccessControlException("User " + user + " cannot perform AM modify operation");
     }
     try{
@@ -172,7 +182,7 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   public ShutdownSessionResponseProto shutdownSession(RpcController arg0,
       ShutdownSessionRequestProto arg1) throws ServiceException {
     String user = getRPCUserName();
-    if (!real.getACLManager().checkAMModifyAccess(user)) {
+    if (!real.getACLManager().checkAMModifyAccess(user, getRPCUserGroups())) {
       throw new AccessControlException("User " + user + " cannot perform AM modify operation");
     }
     real.shutdownAM();
@@ -183,7 +193,7 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   public GetAMStatusResponseProto getAMStatus(RpcController controller,
       GetAMStatusRequestProto request) throws ServiceException {
     String user = getRPCUserName();
-    if (!real.getACLManager().checkAMViewAccess(user)) {
+    if (!real.getACLManager().checkAMViewAccess(user, getRPCUserGroups())) {
       throw new AccessControlException("User " + user + " cannot perform AM view operation");
     }
     try {

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-dag/src/main/java/org/apache/tez/dag/app/DAGAppMaster.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/main/java/org/apache/tez/dag/app/DAGAppMaster.java b/tez-dag/src/main/java/org/apache/tez/dag/app/DAGAppMaster.java
index 7c5561c..fa4b629 100644
--- a/tez-dag/src/main/java/org/apache/tez/dag/app/DAGAppMaster.java
+++ b/tez-dag/src/main/java/org/apache/tez/dag/app/DAGAppMaster.java
@@ -139,7 +139,6 @@ import org.apache.tez.dag.app.rm.container.ContainerSignatureMatcher;
 import org.apache.tez.dag.app.rm.node.AMNodeEventType;
 import org.apache.tez.dag.app.rm.node.AMNodeMap;
 import org.apache.tez.common.security.ACLManager;
-import org.apache.tez.common.security.Groups;
 import org.apache.tez.dag.history.DAGHistoryEvent;
 import org.apache.tez.dag.history.HistoryEventHandler;
 import org.apache.tez.dag.history.events.AMLaunchedEvent;
@@ -309,9 +308,7 @@ public class DAGAppMaster extends AbstractService {
 
     dispatcher = createDispatcher();
     context = new RunningAppContext(conf);
-    Groups userGroupMapping = new Groups(this.amConf);
-    this.aclManager = new ACLManager(userGroupMapping, appMasterUgi.getShortUserName(),
-        this.amConf);
+    this.aclManager = new ACLManager(appMasterUgi.getShortUserName(), this.amConf);
 
     clientHandler = new DAGClientHandler(this);
 

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-dag/src/test/java/org/apache/tez/dag/app/dag/impl/TestDAGImpl.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/test/java/org/apache/tez/dag/app/dag/impl/TestDAGImpl.java b/tez-dag/src/test/java/org/apache/tez/dag/app/dag/impl/TestDAGImpl.java
index b56fbc3..b640f1d 100644
--- a/tez-dag/src/test/java/org/apache/tez/dag/app/dag/impl/TestDAGImpl.java
+++ b/tez-dag/src/test/java/org/apache/tez/dag/app/dag/impl/TestDAGImpl.java
@@ -92,7 +92,6 @@ import org.apache.tez.dag.app.dag.event.VertexEventTaskReschedule;
 import org.apache.tez.dag.app.dag.event.VertexEventType;
 import org.apache.tez.dag.app.dag.impl.TestVertexImpl.CountingOutputCommitter;
 import org.apache.tez.common.security.ACLManager;
-import org.apache.tez.common.security.Groups;
 import org.apache.tez.dag.history.HistoryEventHandler;
 import org.apache.tez.dag.records.TezDAGID;
 import org.apache.tez.dag.records.TezTaskID;
@@ -615,7 +614,7 @@ public class TestDAGImpl {
     fsTokens = new Credentials();
     appContext = mock(AppContext.class);
     historyEventHandler = mock(HistoryEventHandler.class);
-    aclManager = new ACLManager(mock(Groups.class), "amUser");
+    aclManager = new ACLManager("amUser");
     doReturn(conf).when(appContext).getAMConf();
     doReturn(appAttemptId).when(appContext).getApplicationAttemptId();
     doReturn(appAttemptId.getApplicationId()).when(appContext).getApplicationID();

http://git-wip-us.apache.org/repos/asf/tez/blob/fbca9f4c/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
----------------------------------------------------------------------
diff --git a/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java b/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
index 32360ef..8cce736 100644
--- a/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
+++ b/tez-tests/src/test/java/org/apache/tez/test/TestSecureShuffle.java
@@ -100,8 +100,8 @@ public class TestSecureShuffle {
   @AfterClass
   public static void shutdownDFSCluster() {
     if (miniDFSCluster != null) {
-      //shutdown and delete cluster dirs
-      miniDFSCluster.shutdown(true);
+      //shutdown
+      miniDFSCluster.shutdown();
     }
   }
 


Mime
View raw message