tez-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jeag...@apache.org
Subject [17/25] git commit: TEZ-1524. Resolve user group information only if ACLs are enabled (gopalv)
Date Thu, 18 Sep 2014 19:50:02 GMT
TEZ-1524. Resolve user group information only if ACLs are enabled (gopalv)


Project: http://git-wip-us.apache.org/repos/asf/tez/repo
Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/edb841c0
Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/edb841c0
Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/edb841c0

Branch: refs/heads/TEZ-8
Commit: edb841c08de123ff2c5ace0662ae78bf3c58f2c0
Parents: 9dd0cb4
Author: Gopal V <gopalv@apache.org>
Authored: Fri Sep 12 15:04:32 2014 -0700
Committer: Gopal V <gopalv@apache.org>
Committed: Fri Sep 12 15:04:32 2014 -0700

----------------------------------------------------------------------
 CHANGES.txt                                     |   1 +
 .../apache/tez/common/security/ACLManager.java  |  30 +-
 .../tez/common/security/TestACLManager.java     | 417 ++++++++++---------
 ...DAGClientAMProtocolBlockingPBServerImpl.java |  40 +-
 4 files changed, 250 insertions(+), 238 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index f71c2e2..59be260 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -17,6 +17,7 @@ ALL CHANGES:
   TEZ-1578. Remove TeraSort from Tez codebase.
   TEZ-1569. Add tests for preemption
   TEZ-1580. Change TestOrderedWordCount to optionally use MR configs.
+  TEZ-1524. Resolve user group information only if ACLs are enabled.
 
 Release 0.5.1: Unreleased
 

http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
index d8be327..77ab065 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
@@ -18,6 +18,7 @@
 
 package org.apache.tez.common.security;
 
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -29,6 +30,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience.Private;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 import org.apache.tez.dag.api.TezConfiguration;
 
@@ -92,13 +94,19 @@ public class ACLManager {
   }
 
   @VisibleForTesting
-  boolean checkAccess(String user, Collection<String> userGroups, ACLType aclType)
{
+  boolean checkAccess(UserGroupInformation ugi, ACLType aclType) {
+
     if (!aclsEnabled) {
       return true;
     }
+
+    String user = ugi.getShortUserName();
+    Collection<String> userGroups = Arrays.asList(ugi.getGroupNames());
+
     if (amUser.equals(user)) {
       return true;
     }
+
     if (EnumSet.of(ACLType.DAG_MODIFY_ACL, ACLType.DAG_VIEW_ACL).contains(aclType)) {
       if (dagUser != null && dagUser.equals(user)) {
         return true;
@@ -129,22 +137,22 @@ public class ACLManager {
     return false;
   }
 
-  public boolean checkAMViewAccess(String user, Collection<String> userGroups) {
-    return checkAccess(user, userGroups, ACLType.AM_VIEW_ACL);
+  public boolean checkAMViewAccess(UserGroupInformation ugi) {
+    return checkAccess(ugi, ACLType.AM_VIEW_ACL);
   }
 
-  public boolean checkAMModifyAccess(String user, Collection<String> userGroups) {
-    return checkAccess(user, userGroups, ACLType.AM_MODIFY_ACL);
+  public boolean checkAMModifyAccess(UserGroupInformation ugi) {
+    return checkAccess(ugi, ACLType.AM_MODIFY_ACL);
   }
 
-  public boolean checkDAGViewAccess(String user, Collection<String> userGroups) {
-    return checkAccess(user, userGroups, ACLType.AM_VIEW_ACL)
-        || checkAccess(user, userGroups, ACLType.DAG_VIEW_ACL);
+  public boolean checkDAGViewAccess(UserGroupInformation ugi) {
+    return checkAccess(ugi, ACLType.AM_VIEW_ACL)
+        || checkAccess(ugi, ACLType.DAG_VIEW_ACL);
   }
 
-  public boolean checkDAGModifyAccess(String user, Collection<String> userGroups) {
-    return checkAccess(user, userGroups, ACLType.AM_MODIFY_ACL)
-        || checkAccess(user, userGroups, ACLType.DAG_MODIFY_ACL);
+  public boolean checkDAGModifyAccess(UserGroupInformation ugi) {
+    return checkAccess(ugi, ACLType.AM_MODIFY_ACL)
+        || checkAccess(ugi, ACLType.DAG_MODIFY_ACL);
   }
 
   public Map<ApplicationAccessType, String> toYARNACls() {

http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
index 7ad4ede..bc35b51 100644
--- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
+++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java
@@ -23,6 +23,7 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 import org.apache.tez.dag.api.TezConfiguration;
 import org.apache.tez.dag.api.TezConstants;
@@ -33,138 +34,141 @@ import com.google.common.collect.Sets;
 
 public class TestACLManager {
 
-  private static final Set<String> noGroups = Sets.newHashSet();
+  private static final String[] noGroups = new String[0];
 
   @Test
   public void testCurrentUserACLChecks() {
-    String currentUser = "currentUser";
-    ACLManager aclManager = new ACLManager(currentUser);
+    UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser",
noGroups);
+    UserGroupInformation dagUser = UserGroupInformation.createUserForTesting("dagUser", noGroups);
+    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", noGroups);
 
-    String user = "user1";
-    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
+    ACLManager aclManager = new ACLManager(currentUser.getShortUserName());
+
+    UserGroupInformation user = user1;
+
+    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
 
     user = currentUser;
-    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
 
-    aclManager = new ACLManager(currentUser, new Configuration(false));
+    aclManager = new ACLManager(currentUser.getShortUserName(), new Configuration(false));
 
-    user = "user1";
-    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
+    user = user1;
+    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
 
     user = currentUser;
-    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
 
-    String dagUser = "dagUser";
-    ACLManager dagAclManager = new ACLManager(aclManager, dagUser, new Configuration(false));
+    ACLManager dagAclManager = new ACLManager(aclManager, dagUser.getShortUserName(), new
Configuration(false));
     user = dagUser;
-    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(dagAclManager.checkAccess(user, null, ACLType.DAG_VIEW_ACL));
-    Assert.assertTrue(dagAclManager.checkAccess(user, null, ACLType.DAG_MODIFY_ACL));
-    user = "user1";
-    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.DAG_VIEW_ACL));
-    Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.DAG_MODIFY_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL));
+    Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL));
+    user = user1;
+    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL));
+    Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL));
   }
 
   @Test
   public void testOtherUserACLChecks() throws IOException {
-    Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
-    Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
-    Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
-
-    String currentUser = "currentUser";
-    String user1 = "user1"; // belongs to grp1 and grp2
-    String user2 = "user2"; // belongs to grp3 and grp4
-    String user3 = "user3";
-    String user4 = "user4";
-    String user5 = "user5"; // belongs to grp5 and grp6
-    String user6 = "user6";
+    String[] groups1 = new String[] {"grp1", "grp2"};
+    String[] groups2 = new String[] {"grp3", "grp4"};
+    String[] groups3 = new String[] {"grp5", "grp6"};
+
+    UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser",
noGroups);
+    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1);
// belongs to grp1 and grp2
+    UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2);
// belongs to grp3 and grp4
+    UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups);
+    UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
+    UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3);
// belongs to grp5 and grp6
+    UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);
 
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4, grp3, grp4.
-    String viewACLs = user1 + "," + user4
+    String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName()
         + "   " + "grp3,grp4  ";
     // Modify ACLs: user3, grp6, grp7
-    String modifyACLs = user3 + "  " + "grp6,grp7";
+    String modifyACLs = user3.getShortUserName() + "  " + "grp6,grp7";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(currentUser, conf);
-
-    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user1, groups1, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user2, groups2, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user3, noGroups, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user4, noGroups, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_VIEW_ACL));
-
-    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user1, groups1, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user3, noGroups, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user4, noGroups, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user5, groups3, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_MODIFY_ACL));
+    ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf);
+
+    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user5,  ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL));
+
+    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL));
   }
 
   @Test
   public void testNoGroupsACLChecks() throws IOException {
-    Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
-    Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
-    Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
-
-    String currentUser = "currentUser";
-    String user1 = "user1"; // belongs to grp1 and grp2
-    String user2 = "user2"; // belongs to grp3 and grp4
-    String user3 = "user3";
-    String user4 = "user4";
-    String user5 = "user5"; // belongs to grp5 and grp6
-    String user6 = "user6";
+    String[] groups1 = new String[] {"grp1", "grp2"};
+    String[] groups2 = new String[] {"grp3", "grp4"};
+    String[] groups3 = new String[] {"grp5", "grp6"};
+
+    UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser",
noGroups);
+    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1);
// belongs to grp1 and grp2
+    UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2);
// belongs to grp3 and grp4
+    UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups);
+    UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
+    UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3);
// belongs to grp5 and grp6
+    UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);
 
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4
-    String viewACLs = user1 + "," + user4 + " ";
+    String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName() + " ";
     // Modify ACLs: user3
-    String modifyACLs = "user3  ";
+    String modifyACLs = user3.getShortUserName() + " ";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(currentUser, conf);
-    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user1, groups1, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user3, noGroups, ACLType.AM_VIEW_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user4, noGroups, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_VIEW_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_VIEW_ACL));
-
-    Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user1, groups1, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_MODIFY_ACL));
-    Assert.assertTrue(aclManager.checkAccess(user3, noGroups, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user4, noGroups, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_MODIFY_ACL));
-    Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_MODIFY_ACL));
+    ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf);
+    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL));
+
+    Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL));
+    Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL));
+    Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL));
   }
 
   @Test
   public void checkAMACLs() throws IOException {
-    Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
-    Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
-    Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
-
-    String currentUser = "currentUser";
-    String user1 = "user1"; // belongs to grp1 and grp2
-    String user2 = "user2"; // belongs to grp3 and grp4
-    String user3 = "user3";
-    String user4 = "user4";
-    String user5 = "user5"; // belongs to grp5 and grp6
-    String user6 = "user6";
+    String[] groups1 = new String[] {"grp1", "grp2"};
+    String[] groups2 = new String[] {"grp3", "grp4"};
+    String[] groups3 = new String[] {"grp5", "grp6"};
+
+    UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser",
noGroups);
+    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1);
// belongs to grp1 and grp2
+    UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2);
// belongs to grp3 and grp4
+    UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups);
+    UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
+    UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3);
// belongs to grp5 and grp6
+    UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);
 
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4, grp3, grp4.
@@ -174,55 +178,55 @@ public class TestACLManager {
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager(currentUser, conf);
-
-    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser, null));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user1, groups1));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user2, groups2));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user3, noGroups));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user4, noGroups));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user5, groups3));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user6, noGroups));
-
-    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser, null));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user1, groups1));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user2, groups2));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user3, noGroups));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user4, noGroups));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user5, groups3));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user6, noGroups));
-
-    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser, null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user1, groups1));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user2, groups2));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user3, noGroups));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user4, noGroups));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user5, groups3));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user6, noGroups));
-
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser, null));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1, groups1));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2, groups2));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3, noGroups));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4, noGroups));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5, groups3));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user6, noGroups));
+    ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf);
+
+    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user1));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user2));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user3));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user4));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user5));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user6));
+
+    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user1));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user2));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user3));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user4));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user5));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user6));
+
+    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user2));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user3));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user4));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user5));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user6));
+
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user6));
 
   }
 
   @Test
   public void checkDAGACLs() throws IOException {
-    Set<String> groups1 = Sets.newHashSet("grp1", "grp2");
-    Set<String> groups2 = Sets.newHashSet("grp3", "grp4");
-    Set<String> groups3 = Sets.newHashSet("grp5", "grp6");
-
-    String currentUser = "currentUser";
-    String user1 = "user1"; // belongs to grp1 and grp2
-    String user2 = "user2"; // belongs to grp3 and grp4
-    String user3 = "user3";
-    String user4 = "user4";
-    String user5 = "user5"; // belongs to grp5 and grp6
-    String user6 = "user6";
+    String[] groups1 = new String[] {"grp1", "grp2"};
+    String[] groups2 = new String[] {"grp3", "grp4"};
+    String[] groups3 = new String[] {"grp5", "grp6"};
+
+    UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser",
noGroups);
+    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1);
// belongs to grp1 and grp2
+    UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2);
// belongs to grp3 and grp4
+    UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups);
+    UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups);
+    UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3);
// belongs to grp5 and grp6
+    UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups);
 
     Configuration conf = new Configuration(false);
     // View ACLs: user1, user4, grp3, grp4.
@@ -239,46 +243,46 @@ public class TestACLManager {
     conf.set(TezConstants.TEZ_DAG_VIEW_ACLS, dagViewACLs);
     conf.set(TezConstants.TEZ_DAG_MODIFY_ACLS, dagModifyACLs);
 
-    String dagUser = "dagUser";
-
-    ACLManager amAclManager = new ACLManager(currentUser, conf);
-    ACLManager aclManager = new ACLManager(amAclManager, dagUser, conf);
-
-    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser, null));
-    Assert.assertFalse(aclManager.checkAMViewAccess(dagUser, null));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user1, groups1));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user2, groups2));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user3, noGroups));
-    Assert.assertTrue(aclManager.checkAMViewAccess(user4, noGroups));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user5, groups3));
-    Assert.assertFalse(aclManager.checkAMViewAccess(user6, noGroups));
-
-    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser, null));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser, null));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user1, groups1));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user2, groups2));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user3, noGroups));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user4, noGroups));
-    Assert.assertTrue(aclManager.checkAMModifyAccess(user5, groups3));
-    Assert.assertFalse(aclManager.checkAMModifyAccess(user6, noGroups));
-
-    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser, null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser, null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user1, groups1));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user2, groups2));
-    Assert.assertFalse(aclManager.checkDAGViewAccess(user3, noGroups));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user4, noGroups));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user5, groups3));
-    Assert.assertTrue(aclManager.checkDAGViewAccess(user6, noGroups));
-
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser, null));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser, null));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1, groups1));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2, groups2));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3, noGroups));
-    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4, noGroups));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5, groups3));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess(user6, noGroups));
+    UserGroupInformation dagUser = UserGroupInformation.createUserForTesting("dagUser", noGroups);
+
+    ACLManager amAclManager = new ACLManager(currentUser.getShortUserName(), conf);
+    ACLManager aclManager = new ACLManager(amAclManager, dagUser.getShortUserName(), conf);
+
+    Assert.assertTrue(aclManager.checkAMViewAccess(currentUser));
+    Assert.assertFalse(aclManager.checkAMViewAccess(dagUser));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user1));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user2));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user3));
+    Assert.assertTrue(aclManager.checkAMViewAccess(user4));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user5));
+    Assert.assertFalse(aclManager.checkAMViewAccess(user6));
+
+    Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user1));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user2));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user3));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user4));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(user5));
+    Assert.assertFalse(aclManager.checkAMModifyAccess(user6));
+
+    Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user2));
+    Assert.assertFalse(aclManager.checkDAGViewAccess(user3));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user4));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user5));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(user6));
+
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user1));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user2));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user3));
+    Assert.assertFalse(aclManager.checkDAGModifyAccess(user4));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user5));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(user6));
 
   }
 
@@ -290,15 +294,18 @@ public class TestACLManager {
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
 
-    ACLManager aclManager = new ACLManager("a1", conf);
-    Assert.assertTrue(aclManager.checkAMViewAccess("a1", null));
-    Assert.assertTrue(aclManager.checkAMViewAccess("u1", null));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("a1", null));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("u1", null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("a1", null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("u1", null));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("a1", null));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("u1", null));
+    UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups);
+    UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups);
+
+    ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf);
+    Assert.assertTrue(aclManager.checkAMViewAccess(a1));
+    Assert.assertTrue(aclManager.checkAMViewAccess(u1));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(a1));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(u1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(a1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(u1));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(a1));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(u1));
   }
 
   @Test
@@ -309,25 +316,29 @@ public class TestACLManager {
     String modifyACLs = "a2,u2 ";
     conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs);
     conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs);
-    ACLManager aclManager = new ACLManager("a1", conf);
-    Assert.assertTrue(aclManager.checkAMViewAccess("a1", null));
-    Assert.assertTrue(aclManager.checkAMViewAccess("u1", null));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("a1", null));
-    Assert.assertTrue(aclManager.checkAMModifyAccess("u1", null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("a1", null));
-    Assert.assertTrue(aclManager.checkDAGViewAccess("u1", null));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("a1", null));
-    Assert.assertTrue(aclManager.checkDAGModifyAccess("u1", null));
+
+    UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups);
+    UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups);
+
+    ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf);
+    Assert.assertTrue(aclManager.checkAMViewAccess(a1));
+    Assert.assertTrue(aclManager.checkAMViewAccess(u1));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(a1));
+    Assert.assertTrue(aclManager.checkAMModifyAccess(u1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(a1));
+    Assert.assertTrue(aclManager.checkDAGViewAccess(u1));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(a1));
+    Assert.assertTrue(aclManager.checkDAGModifyAccess(u1));
 
     ACLManager dagAclManager = new ACLManager(aclManager, "dagUser", null);
-    Assert.assertTrue(dagAclManager.checkAMViewAccess("a1", null));
-    Assert.assertTrue(dagAclManager.checkAMViewAccess("u1", null));
-    Assert.assertTrue(dagAclManager.checkAMModifyAccess("a1", null));
-    Assert.assertTrue(dagAclManager.checkAMModifyAccess("u1", null));
-    Assert.assertTrue(dagAclManager.checkDAGViewAccess("a1", null));
-    Assert.assertTrue(dagAclManager.checkDAGViewAccess("u1", null));
-    Assert.assertTrue(dagAclManager.checkDAGModifyAccess("a1", null));
-    Assert.assertTrue(dagAclManager.checkDAGModifyAccess("u1", null));
+    Assert.assertTrue(dagAclManager.checkAMViewAccess(a1));
+    Assert.assertTrue(dagAclManager.checkAMViewAccess(u1));
+    Assert.assertTrue(dagAclManager.checkAMModifyAccess(a1));
+    Assert.assertTrue(dagAclManager.checkAMModifyAccess(u1));
+    Assert.assertTrue(dagAclManager.checkDAGViewAccess(a1));
+    Assert.assertTrue(dagAclManager.checkDAGViewAccess(u1));
+    Assert.assertTrue(dagAclManager.checkDAGModifyAccess(a1));
+    Assert.assertTrue(dagAclManager.checkDAGModifyAccess(u1));
   }
 
   @Test

http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
b/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
index 6381b71..c054305 100644
--- a/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
+++ b/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java
@@ -62,17 +62,9 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
     this.real = real;
   }
 
-  private String getRPCUserName() throws ServiceException {
+  private UserGroupInformation getRPCUser() throws ServiceException {
     try {
-      return UserGroupInformation.getCurrentUser().getShortUserName();
-    } catch (IOException e) {
-      throw wrapException(e);
-    }
-  }
-
-  private List<String> getRPCUserGroups() throws ServiceException {
-    try {
-      return Arrays.asList(UserGroupInformation.getCurrentUser().getGroupNames());
+      return UserGroupInformation.getCurrentUser();
     } catch (IOException e) {
       throw wrapException(e);
     }
@@ -81,8 +73,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public GetAllDAGsResponseProto getAllDAGs(RpcController controller,
       GetAllDAGsRequestProto request) throws ServiceException {
-    String user = getRPCUserName();
-    if (!real.getACLManager().checkAMViewAccess(user, getRPCUserGroups())) {
+    UserGroupInformation user = getRPCUser();
+    if (!real.getACLManager().checkAMViewAccess(user)) {
       throw new AccessControlException("User " + user + " cannot perform AM view operation");
     }
     try{
@@ -96,10 +88,10 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public GetDAGStatusResponseProto getDAGStatus(RpcController controller,
       GetDAGStatusRequestProto request) throws ServiceException {
-    String user = getRPCUserName();
+    UserGroupInformation user = getRPCUser();
     try {
       String dagId = request.getDagId();
-      if (!real.getACLManager(dagId).checkDAGViewAccess(user, getRPCUserGroups())) {
+      if (!real.getACLManager(dagId).checkDAGViewAccess(user)) {
         throw new AccessControlException("User " + user + " cannot perform DAG view operation");
       }
       DAGStatus status;
@@ -118,10 +110,10 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public GetVertexStatusResponseProto getVertexStatus(RpcController controller,
       GetVertexStatusRequestProto request) throws ServiceException {
-    String user = getRPCUserName();
+    UserGroupInformation user = getRPCUser();
     try {
       String dagId = request.getDagId();
-      if (!real.getACLManager(dagId).checkDAGViewAccess(user, getRPCUserGroups())) {
+      if (!real.getACLManager(dagId).checkDAGViewAccess(user)) {
         throw new AccessControlException("User " + user + " cannot perform DAG view operation");
       }
       String vertexName = request.getVertexName();
@@ -140,10 +132,10 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public TryKillDAGResponseProto tryKillDAG(RpcController controller,
       TryKillDAGRequestProto request) throws ServiceException {
-    String user = getRPCUserName();
+    UserGroupInformation user = getRPCUser();
     try {
       String dagId = request.getDagId();
-      if (!real.getACLManager(dagId).checkDAGModifyAccess(user, getRPCUserGroups())) {
+      if (!real.getACLManager(dagId).checkDAGModifyAccess(user)) {
         throw new AccessControlException("User " + user + " cannot perform DAG modify operation");
       }
       real.tryKillDAG(dagId);
@@ -156,8 +148,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public SubmitDAGResponseProto submitDAG(RpcController controller,
       SubmitDAGRequestProto request) throws ServiceException {
-    String user = getRPCUserName();
-    if (!real.getACLManager().checkAMModifyAccess(user, getRPCUserGroups())) {
+    UserGroupInformation user = getRPCUser();
+    if (!real.getACLManager().checkAMModifyAccess(user)) {
       throw new AccessControlException("User " + user + " cannot perform AM modify operation");
     }
     try{
@@ -181,8 +173,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public ShutdownSessionResponseProto shutdownSession(RpcController arg0,
       ShutdownSessionRequestProto arg1) throws ServiceException {
-    String user = getRPCUserName();
-    if (!real.getACLManager().checkAMModifyAccess(user, getRPCUserGroups())) {
+    UserGroupInformation user = getRPCUser();
+    if (!real.getACLManager().checkAMModifyAccess(user)) {
       throw new AccessControlException("User " + user + " cannot perform AM modify operation");
     }
     real.shutdownAM();
@@ -192,8 +184,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto
   @Override
   public GetAMStatusResponseProto getAMStatus(RpcController controller,
       GetAMStatusRequestProto request) throws ServiceException {
-    String user = getRPCUserName();
-    if (!real.getACLManager().checkAMViewAccess(user, getRPCUserGroups())) {
+    UserGroupInformation user = getRPCUser();
+    if (!real.getACLManager().checkAMViewAccess(user)) {
       throw new AccessControlException("User " + user + " cannot perform AM view operation");
     }
     try {


Mime
View raw message