Return-Path: X-Original-To: apmail-tez-commits-archive@minotaur.apache.org Delivered-To: apmail-tez-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 117D01180E for ; Thu, 18 Sep 2014 19:49:48 +0000 (UTC) Received: (qmail 46726 invoked by uid 500); 18 Sep 2014 19:49:48 -0000 Delivered-To: apmail-tez-commits-archive@tez.apache.org Received: (qmail 46635 invoked by uid 500); 18 Sep 2014 19:49:47 -0000 Mailing-List: contact commits-help@tez.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@tez.apache.org Delivered-To: mailing list commits@tez.apache.org Received: (qmail 46110 invoked by uid 99); 18 Sep 2014 19:49:47 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Sep 2014 19:49:47 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 6B908A1B8F1; Thu, 18 Sep 2014 19:49:47 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jeagles@apache.org To: commits@tez.apache.org Date: Thu, 18 Sep 2014 19:50:02 -0000 Message-Id: <36bab04c8ade4158ae3b29613f0f908a@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [17/25] git commit: TEZ-1524. Resolve user group information only if ACLs are enabled (gopalv) TEZ-1524. Resolve user group information only if ACLs are enabled (gopalv) Project: http://git-wip-us.apache.org/repos/asf/tez/repo Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/edb841c0 Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/edb841c0 Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/edb841c0 Branch: refs/heads/TEZ-8 Commit: edb841c08de123ff2c5ace0662ae78bf3c58f2c0 Parents: 9dd0cb4 Author: Gopal V Authored: Fri Sep 12 15:04:32 2014 -0700 Committer: Gopal V Committed: Fri Sep 12 15:04:32 2014 -0700 ---------------------------------------------------------------------- CHANGES.txt | 1 + .../apache/tez/common/security/ACLManager.java | 30 +- .../tez/common/security/TestACLManager.java | 417 ++++++++++--------- ...DAGClientAMProtocolBlockingPBServerImpl.java | 40 +- 4 files changed, 250 insertions(+), 238 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index f71c2e2..59be260 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -17,6 +17,7 @@ ALL CHANGES: TEZ-1578. Remove TeraSort from Tez codebase. TEZ-1569. Add tests for preemption TEZ-1580. Change TestOrderedWordCount to optionally use MR configs. + TEZ-1524. Resolve user group information only if ACLs are enabled. Release 0.5.1: Unreleased http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java ---------------------------------------------------------------------- diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java index d8be327..77ab065 100644 --- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java +++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java @@ -18,6 +18,7 @@ package org.apache.tez.common.security; +import java.util.Arrays; import java.util.Collection; import java.util.EnumSet; import java.util.HashMap; @@ -29,6 +30,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAccessType; import org.apache.tez.dag.api.TezConfiguration; @@ -92,13 +94,19 @@ public class ACLManager { } @VisibleForTesting - boolean checkAccess(String user, Collection userGroups, ACLType aclType) { + boolean checkAccess(UserGroupInformation ugi, ACLType aclType) { + if (!aclsEnabled) { return true; } + + String user = ugi.getShortUserName(); + Collection userGroups = Arrays.asList(ugi.getGroupNames()); + if (amUser.equals(user)) { return true; } + if (EnumSet.of(ACLType.DAG_MODIFY_ACL, ACLType.DAG_VIEW_ACL).contains(aclType)) { if (dagUser != null && dagUser.equals(user)) { return true; @@ -129,22 +137,22 @@ public class ACLManager { return false; } - public boolean checkAMViewAccess(String user, Collection userGroups) { - return checkAccess(user, userGroups, ACLType.AM_VIEW_ACL); + public boolean checkAMViewAccess(UserGroupInformation ugi) { + return checkAccess(ugi, ACLType.AM_VIEW_ACL); } - public boolean checkAMModifyAccess(String user, Collection userGroups) { - return checkAccess(user, userGroups, ACLType.AM_MODIFY_ACL); + public boolean checkAMModifyAccess(UserGroupInformation ugi) { + return checkAccess(ugi, ACLType.AM_MODIFY_ACL); } - public boolean checkDAGViewAccess(String user, Collection userGroups) { - return checkAccess(user, userGroups, ACLType.AM_VIEW_ACL) - || checkAccess(user, userGroups, ACLType.DAG_VIEW_ACL); + public boolean checkDAGViewAccess(UserGroupInformation ugi) { + return checkAccess(ugi, ACLType.AM_VIEW_ACL) + || checkAccess(ugi, ACLType.DAG_VIEW_ACL); } - public boolean checkDAGModifyAccess(String user, Collection userGroups) { - return checkAccess(user, userGroups, ACLType.AM_MODIFY_ACL) - || checkAccess(user, userGroups, ACLType.DAG_MODIFY_ACL); + public boolean checkDAGModifyAccess(UserGroupInformation ugi) { + return checkAccess(ugi, ACLType.AM_MODIFY_ACL) + || checkAccess(ugi, ACLType.DAG_MODIFY_ACL); } public Map toYARNACls() { http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java ---------------------------------------------------------------------- diff --git a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java index 7ad4ede..bc35b51 100644 --- a/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java +++ b/tez-api/src/test/java/org/apache/tez/common/security/TestACLManager.java @@ -23,6 +23,7 @@ import java.util.Map; import java.util.Set; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.records.ApplicationAccessType; import org.apache.tez.dag.api.TezConfiguration; import org.apache.tez.dag.api.TezConstants; @@ -33,138 +34,141 @@ import com.google.common.collect.Sets; public class TestACLManager { - private static final Set noGroups = Sets.newHashSet(); + private static final String[] noGroups = new String[0]; @Test public void testCurrentUserACLChecks() { - String currentUser = "currentUser"; - ACLManager aclManager = new ACLManager(currentUser); + UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); + UserGroupInformation dagUser = UserGroupInformation.createUserForTesting("dagUser", noGroups); + UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", noGroups); - String user = "user1"; - Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL)); + ACLManager aclManager = new ACLManager(currentUser.getShortUserName()); + + UserGroupInformation user = user1; + + Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); user = currentUser; - Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL)); + Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); - aclManager = new ACLManager(currentUser, new Configuration(false)); + aclManager = new ACLManager(currentUser.getShortUserName(), new Configuration(false)); - user = "user1"; - Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL)); + user = user1; + Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); user = currentUser; - Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL)); + Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); - String dagUser = "dagUser"; - ACLManager dagAclManager = new ACLManager(aclManager, dagUser, new Configuration(false)); + ACLManager dagAclManager = new ACLManager(aclManager, dagUser.getShortUserName(), new Configuration(false)); user = dagUser; - Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.AM_MODIFY_ACL)); - Assert.assertTrue(dagAclManager.checkAccess(user, null, ACLType.DAG_VIEW_ACL)); - Assert.assertTrue(dagAclManager.checkAccess(user, null, ACLType.DAG_MODIFY_ACL)); - user = "user1"; - Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.DAG_VIEW_ACL)); - Assert.assertFalse(dagAclManager.checkAccess(user, null, ACLType.DAG_MODIFY_ACL)); + Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.AM_MODIFY_ACL)); + Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL)); + Assert.assertTrue(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL)); + user = user1; + Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_VIEW_ACL)); + Assert.assertFalse(dagAclManager.checkAccess(user, ACLType.DAG_MODIFY_ACL)); } @Test public void testOtherUserACLChecks() throws IOException { - Set groups1 = Sets.newHashSet("grp1", "grp2"); - Set groups2 = Sets.newHashSet("grp3", "grp4"); - Set groups3 = Sets.newHashSet("grp5", "grp6"); - - String currentUser = "currentUser"; - String user1 = "user1"; // belongs to grp1 and grp2 - String user2 = "user2"; // belongs to grp3 and grp4 - String user3 = "user3"; - String user4 = "user4"; - String user5 = "user5"; // belongs to grp5 and grp6 - String user6 = "user6"; + String[] groups1 = new String[] {"grp1", "grp2"}; + String[] groups2 = new String[] {"grp3", "grp4"}; + String[] groups3 = new String[] {"grp5", "grp6"}; + + UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); + UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 + UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 + UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); + UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); + UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 + UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. - String viewACLs = user1 + "," + user4 + String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName() + " " + "grp3,grp4 "; // Modify ACLs: user3, grp6, grp7 - String modifyACLs = user3 + " " + "grp6,grp7"; + String modifyACLs = user3.getShortUserName() + " " + "grp6,grp7"; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); - ACLManager aclManager = new ACLManager(currentUser, conf); - - Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user1, groups1, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user2, groups2, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user3, noGroups, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user4, noGroups, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_VIEW_ACL)); - - Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user1, groups1, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_MODIFY_ACL)); - Assert.assertTrue(aclManager.checkAccess(user3, noGroups, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user4, noGroups, ACLType.AM_MODIFY_ACL)); - Assert.assertTrue(aclManager.checkAccess(user5, groups3, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_MODIFY_ACL)); + ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); + + Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL)); + + Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL)); + Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL)); + Assert.assertTrue(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL)); } @Test public void testNoGroupsACLChecks() throws IOException { - Set groups1 = Sets.newHashSet("grp1", "grp2"); - Set groups2 = Sets.newHashSet("grp3", "grp4"); - Set groups3 = Sets.newHashSet("grp5", "grp6"); - - String currentUser = "currentUser"; - String user1 = "user1"; // belongs to grp1 and grp2 - String user2 = "user2"; // belongs to grp3 and grp4 - String user3 = "user3"; - String user4 = "user4"; - String user5 = "user5"; // belongs to grp5 and grp6 - String user6 = "user6"; + String[] groups1 = new String[] {"grp1", "grp2"}; + String[] groups2 = new String[] {"grp3", "grp4"}; + String[] groups3 = new String[] {"grp5", "grp6"}; + + UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); + UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 + UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 + UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); + UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); + UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 + UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4 - String viewACLs = user1 + "," + user4 + " "; + String viewACLs = user1.getShortUserName() + "," + user4.getShortUserName() + " "; // Modify ACLs: user3 - String modifyACLs = "user3 "; + String modifyACLs = user3.getShortUserName() + " "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); - ACLManager aclManager = new ACLManager(currentUser, conf); - Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user1, groups1, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user3, noGroups, ACLType.AM_VIEW_ACL)); - Assert.assertTrue(aclManager.checkAccess(user4, noGroups, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_VIEW_ACL)); - Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_VIEW_ACL)); - - Assert.assertTrue(aclManager.checkAccess(currentUser, null, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user1, groups1, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user2, groups2, ACLType.AM_MODIFY_ACL)); - Assert.assertTrue(aclManager.checkAccess(user3, noGroups, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user4, noGroups, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user5, groups3, ACLType.AM_MODIFY_ACL)); - Assert.assertFalse(aclManager.checkAccess(user6, noGroups, ACLType.AM_MODIFY_ACL)); + ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); + Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user1, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user3, ACLType.AM_VIEW_ACL)); + Assert.assertTrue(aclManager.checkAccess(user4, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_VIEW_ACL)); + Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_VIEW_ACL)); + + Assert.assertTrue(aclManager.checkAccess(currentUser, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user1, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user2, ACLType.AM_MODIFY_ACL)); + Assert.assertTrue(aclManager.checkAccess(user3, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user4, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user5, ACLType.AM_MODIFY_ACL)); + Assert.assertFalse(aclManager.checkAccess(user6, ACLType.AM_MODIFY_ACL)); } @Test public void checkAMACLs() throws IOException { - Set groups1 = Sets.newHashSet("grp1", "grp2"); - Set groups2 = Sets.newHashSet("grp3", "grp4"); - Set groups3 = Sets.newHashSet("grp5", "grp6"); - - String currentUser = "currentUser"; - String user1 = "user1"; // belongs to grp1 and grp2 - String user2 = "user2"; // belongs to grp3 and grp4 - String user3 = "user3"; - String user4 = "user4"; - String user5 = "user5"; // belongs to grp5 and grp6 - String user6 = "user6"; + String[] groups1 = new String[] {"grp1", "grp2"}; + String[] groups2 = new String[] {"grp3", "grp4"}; + String[] groups3 = new String[] {"grp5", "grp6"}; + + UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); + UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 + UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 + UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); + UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); + UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 + UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. @@ -174,55 +178,55 @@ public class TestACLManager { conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); - ACLManager aclManager = new ACLManager(currentUser, conf); - - Assert.assertTrue(aclManager.checkAMViewAccess(currentUser, null)); - Assert.assertTrue(aclManager.checkAMViewAccess(user1, groups1)); - Assert.assertTrue(aclManager.checkAMViewAccess(user2, groups2)); - Assert.assertFalse(aclManager.checkAMViewAccess(user3, noGroups)); - Assert.assertTrue(aclManager.checkAMViewAccess(user4, noGroups)); - Assert.assertFalse(aclManager.checkAMViewAccess(user5, groups3)); - Assert.assertFalse(aclManager.checkAMViewAccess(user6, noGroups)); - - Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser, null)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user1, groups1)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user2, groups2)); - Assert.assertTrue(aclManager.checkAMModifyAccess(user3, noGroups)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user4, noGroups)); - Assert.assertTrue(aclManager.checkAMModifyAccess(user5, groups3)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user6, noGroups)); - - Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser, null)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user1, groups1)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user2, groups2)); - Assert.assertFalse(aclManager.checkDAGViewAccess(user3, noGroups)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user4, noGroups)); - Assert.assertFalse(aclManager.checkDAGViewAccess(user5, groups3)); - Assert.assertFalse(aclManager.checkDAGViewAccess(user6, noGroups)); - - Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser, null)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user1, groups1)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user2, groups2)); - Assert.assertTrue(aclManager.checkDAGModifyAccess(user3, noGroups)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user4, noGroups)); - Assert.assertTrue(aclManager.checkDAGModifyAccess(user5, groups3)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user6, noGroups)); + ACLManager aclManager = new ACLManager(currentUser.getShortUserName(), conf); + + Assert.assertTrue(aclManager.checkAMViewAccess(currentUser)); + Assert.assertTrue(aclManager.checkAMViewAccess(user1)); + Assert.assertTrue(aclManager.checkAMViewAccess(user2)); + Assert.assertFalse(aclManager.checkAMViewAccess(user3)); + Assert.assertTrue(aclManager.checkAMViewAccess(user4)); + Assert.assertFalse(aclManager.checkAMViewAccess(user5)); + Assert.assertFalse(aclManager.checkAMViewAccess(user6)); + + Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user1)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user2)); + Assert.assertTrue(aclManager.checkAMModifyAccess(user3)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user4)); + Assert.assertTrue(aclManager.checkAMModifyAccess(user5)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user6)); + + Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user2)); + Assert.assertFalse(aclManager.checkDAGViewAccess(user3)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user4)); + Assert.assertFalse(aclManager.checkDAGViewAccess(user5)); + Assert.assertFalse(aclManager.checkDAGViewAccess(user6)); + + Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user1)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user2)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(user3)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user4)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(user5)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user6)); } @Test public void checkDAGACLs() throws IOException { - Set groups1 = Sets.newHashSet("grp1", "grp2"); - Set groups2 = Sets.newHashSet("grp3", "grp4"); - Set groups3 = Sets.newHashSet("grp5", "grp6"); - - String currentUser = "currentUser"; - String user1 = "user1"; // belongs to grp1 and grp2 - String user2 = "user2"; // belongs to grp3 and grp4 - String user3 = "user3"; - String user4 = "user4"; - String user5 = "user5"; // belongs to grp5 and grp6 - String user6 = "user6"; + String[] groups1 = new String[] {"grp1", "grp2"}; + String[] groups2 = new String[] {"grp3", "grp4"}; + String[] groups3 = new String[] {"grp5", "grp6"}; + + UserGroupInformation currentUser = UserGroupInformation.createUserForTesting("currentUser", noGroups); + UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", groups1); // belongs to grp1 and grp2 + UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", groups2); // belongs to grp3 and grp4 + UserGroupInformation user3 = UserGroupInformation.createUserForTesting("user3", noGroups); + UserGroupInformation user4 = UserGroupInformation.createUserForTesting("user4", noGroups); + UserGroupInformation user5 = UserGroupInformation.createUserForTesting("user5", groups3); // belongs to grp5 and grp6 + UserGroupInformation user6 = UserGroupInformation.createUserForTesting("user6", noGroups); Configuration conf = new Configuration(false); // View ACLs: user1, user4, grp3, grp4. @@ -239,46 +243,46 @@ public class TestACLManager { conf.set(TezConstants.TEZ_DAG_VIEW_ACLS, dagViewACLs); conf.set(TezConstants.TEZ_DAG_MODIFY_ACLS, dagModifyACLs); - String dagUser = "dagUser"; - - ACLManager amAclManager = new ACLManager(currentUser, conf); - ACLManager aclManager = new ACLManager(amAclManager, dagUser, conf); - - Assert.assertTrue(aclManager.checkAMViewAccess(currentUser, null)); - Assert.assertFalse(aclManager.checkAMViewAccess(dagUser, null)); - Assert.assertTrue(aclManager.checkAMViewAccess(user1, groups1)); - Assert.assertTrue(aclManager.checkAMViewAccess(user2, groups2)); - Assert.assertFalse(aclManager.checkAMViewAccess(user3, noGroups)); - Assert.assertTrue(aclManager.checkAMViewAccess(user4, noGroups)); - Assert.assertFalse(aclManager.checkAMViewAccess(user5, groups3)); - Assert.assertFalse(aclManager.checkAMViewAccess(user6, noGroups)); - - Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser, null)); - Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser, null)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user1, groups1)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user2, groups2)); - Assert.assertTrue(aclManager.checkAMModifyAccess(user3, noGroups)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user4, noGroups)); - Assert.assertTrue(aclManager.checkAMModifyAccess(user5, groups3)); - Assert.assertFalse(aclManager.checkAMModifyAccess(user6, noGroups)); - - Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser, null)); - Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser, null)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user1, groups1)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user2, groups2)); - Assert.assertFalse(aclManager.checkDAGViewAccess(user3, noGroups)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user4, noGroups)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user5, groups3)); - Assert.assertTrue(aclManager.checkDAGViewAccess(user6, noGroups)); - - Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser, null)); - Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser, null)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user1, groups1)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user2, groups2)); - Assert.assertTrue(aclManager.checkDAGModifyAccess(user3, noGroups)); - Assert.assertFalse(aclManager.checkDAGModifyAccess(user4, noGroups)); - Assert.assertTrue(aclManager.checkDAGModifyAccess(user5, groups3)); - Assert.assertTrue(aclManager.checkDAGModifyAccess(user6, noGroups)); + UserGroupInformation dagUser = UserGroupInformation.createUserForTesting("dagUser", noGroups); + + ACLManager amAclManager = new ACLManager(currentUser.getShortUserName(), conf); + ACLManager aclManager = new ACLManager(amAclManager, dagUser.getShortUserName(), conf); + + Assert.assertTrue(aclManager.checkAMViewAccess(currentUser)); + Assert.assertFalse(aclManager.checkAMViewAccess(dagUser)); + Assert.assertTrue(aclManager.checkAMViewAccess(user1)); + Assert.assertTrue(aclManager.checkAMViewAccess(user2)); + Assert.assertFalse(aclManager.checkAMViewAccess(user3)); + Assert.assertTrue(aclManager.checkAMViewAccess(user4)); + Assert.assertFalse(aclManager.checkAMViewAccess(user5)); + Assert.assertFalse(aclManager.checkAMViewAccess(user6)); + + Assert.assertTrue(aclManager.checkAMModifyAccess(currentUser)); + Assert.assertFalse(aclManager.checkAMModifyAccess(dagUser)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user1)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user2)); + Assert.assertTrue(aclManager.checkAMModifyAccess(user3)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user4)); + Assert.assertTrue(aclManager.checkAMModifyAccess(user5)); + Assert.assertFalse(aclManager.checkAMModifyAccess(user6)); + + Assert.assertTrue(aclManager.checkDAGViewAccess(currentUser)); + Assert.assertTrue(aclManager.checkDAGViewAccess(dagUser)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user2)); + Assert.assertFalse(aclManager.checkDAGViewAccess(user3)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user4)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user5)); + Assert.assertTrue(aclManager.checkDAGViewAccess(user6)); + + Assert.assertTrue(aclManager.checkDAGModifyAccess(currentUser)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(dagUser)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user1)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user2)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(user3)); + Assert.assertFalse(aclManager.checkDAGModifyAccess(user4)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(user5)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(user6)); } @@ -290,15 +294,18 @@ public class TestACLManager { conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); - ACLManager aclManager = new ACLManager("a1", conf); - Assert.assertTrue(aclManager.checkAMViewAccess("a1", null)); - Assert.assertTrue(aclManager.checkAMViewAccess("u1", null)); - Assert.assertTrue(aclManager.checkAMModifyAccess("a1", null)); - Assert.assertTrue(aclManager.checkAMModifyAccess("u1", null)); - Assert.assertTrue(aclManager.checkDAGViewAccess("a1", null)); - Assert.assertTrue(aclManager.checkDAGViewAccess("u1", null)); - Assert.assertTrue(aclManager.checkDAGModifyAccess("a1", null)); - Assert.assertTrue(aclManager.checkDAGModifyAccess("u1", null)); + UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups); + UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups); + + ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf); + Assert.assertTrue(aclManager.checkAMViewAccess(a1)); + Assert.assertTrue(aclManager.checkAMViewAccess(u1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(a1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(u1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(a1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(u1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(a1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(u1)); } @Test @@ -309,25 +316,29 @@ public class TestACLManager { String modifyACLs = "a2,u2 "; conf.set(TezConfiguration.TEZ_AM_VIEW_ACLS, viewACLs); conf.set(TezConfiguration.TEZ_AM_MODIFY_ACLS, modifyACLs); - ACLManager aclManager = new ACLManager("a1", conf); - Assert.assertTrue(aclManager.checkAMViewAccess("a1", null)); - Assert.assertTrue(aclManager.checkAMViewAccess("u1", null)); - Assert.assertTrue(aclManager.checkAMModifyAccess("a1", null)); - Assert.assertTrue(aclManager.checkAMModifyAccess("u1", null)); - Assert.assertTrue(aclManager.checkDAGViewAccess("a1", null)); - Assert.assertTrue(aclManager.checkDAGViewAccess("u1", null)); - Assert.assertTrue(aclManager.checkDAGModifyAccess("a1", null)); - Assert.assertTrue(aclManager.checkDAGModifyAccess("u1", null)); + + UserGroupInformation a1 = UserGroupInformation.createUserForTesting("a1", noGroups); + UserGroupInformation u1 = UserGroupInformation.createUserForTesting("u1", noGroups); + + ACLManager aclManager = new ACLManager(a1.getShortUserName(), conf); + Assert.assertTrue(aclManager.checkAMViewAccess(a1)); + Assert.assertTrue(aclManager.checkAMViewAccess(u1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(a1)); + Assert.assertTrue(aclManager.checkAMModifyAccess(u1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(a1)); + Assert.assertTrue(aclManager.checkDAGViewAccess(u1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(a1)); + Assert.assertTrue(aclManager.checkDAGModifyAccess(u1)); ACLManager dagAclManager = new ACLManager(aclManager, "dagUser", null); - Assert.assertTrue(dagAclManager.checkAMViewAccess("a1", null)); - Assert.assertTrue(dagAclManager.checkAMViewAccess("u1", null)); - Assert.assertTrue(dagAclManager.checkAMModifyAccess("a1", null)); - Assert.assertTrue(dagAclManager.checkAMModifyAccess("u1", null)); - Assert.assertTrue(dagAclManager.checkDAGViewAccess("a1", null)); - Assert.assertTrue(dagAclManager.checkDAGViewAccess("u1", null)); - Assert.assertTrue(dagAclManager.checkDAGModifyAccess("a1", null)); - Assert.assertTrue(dagAclManager.checkDAGModifyAccess("u1", null)); + Assert.assertTrue(dagAclManager.checkAMViewAccess(a1)); + Assert.assertTrue(dagAclManager.checkAMViewAccess(u1)); + Assert.assertTrue(dagAclManager.checkAMModifyAccess(a1)); + Assert.assertTrue(dagAclManager.checkAMModifyAccess(u1)); + Assert.assertTrue(dagAclManager.checkDAGViewAccess(a1)); + Assert.assertTrue(dagAclManager.checkDAGViewAccess(u1)); + Assert.assertTrue(dagAclManager.checkDAGModifyAccess(a1)); + Assert.assertTrue(dagAclManager.checkDAGModifyAccess(u1)); } @Test http://git-wip-us.apache.org/repos/asf/tez/blob/edb841c0/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java ---------------------------------------------------------------------- diff --git a/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java b/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java index 6381b71..c054305 100644 --- a/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java +++ b/tez-dag/src/main/java/org/apache/tez/dag/api/client/rpc/DAGClientAMProtocolBlockingPBServerImpl.java @@ -62,17 +62,9 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto this.real = real; } - private String getRPCUserName() throws ServiceException { + private UserGroupInformation getRPCUser() throws ServiceException { try { - return UserGroupInformation.getCurrentUser().getShortUserName(); - } catch (IOException e) { - throw wrapException(e); - } - } - - private List getRPCUserGroups() throws ServiceException { - try { - return Arrays.asList(UserGroupInformation.getCurrentUser().getGroupNames()); + return UserGroupInformation.getCurrentUser(); } catch (IOException e) { throw wrapException(e); } @@ -81,8 +73,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public GetAllDAGsResponseProto getAllDAGs(RpcController controller, GetAllDAGsRequestProto request) throws ServiceException { - String user = getRPCUserName(); - if (!real.getACLManager().checkAMViewAccess(user, getRPCUserGroups())) { + UserGroupInformation user = getRPCUser(); + if (!real.getACLManager().checkAMViewAccess(user)) { throw new AccessControlException("User " + user + " cannot perform AM view operation"); } try{ @@ -96,10 +88,10 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public GetDAGStatusResponseProto getDAGStatus(RpcController controller, GetDAGStatusRequestProto request) throws ServiceException { - String user = getRPCUserName(); + UserGroupInformation user = getRPCUser(); try { String dagId = request.getDagId(); - if (!real.getACLManager(dagId).checkDAGViewAccess(user, getRPCUserGroups())) { + if (!real.getACLManager(dagId).checkDAGViewAccess(user)) { throw new AccessControlException("User " + user + " cannot perform DAG view operation"); } DAGStatus status; @@ -118,10 +110,10 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public GetVertexStatusResponseProto getVertexStatus(RpcController controller, GetVertexStatusRequestProto request) throws ServiceException { - String user = getRPCUserName(); + UserGroupInformation user = getRPCUser(); try { String dagId = request.getDagId(); - if (!real.getACLManager(dagId).checkDAGViewAccess(user, getRPCUserGroups())) { + if (!real.getACLManager(dagId).checkDAGViewAccess(user)) { throw new AccessControlException("User " + user + " cannot perform DAG view operation"); } String vertexName = request.getVertexName(); @@ -140,10 +132,10 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public TryKillDAGResponseProto tryKillDAG(RpcController controller, TryKillDAGRequestProto request) throws ServiceException { - String user = getRPCUserName(); + UserGroupInformation user = getRPCUser(); try { String dagId = request.getDagId(); - if (!real.getACLManager(dagId).checkDAGModifyAccess(user, getRPCUserGroups())) { + if (!real.getACLManager(dagId).checkDAGModifyAccess(user)) { throw new AccessControlException("User " + user + " cannot perform DAG modify operation"); } real.tryKillDAG(dagId); @@ -156,8 +148,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public SubmitDAGResponseProto submitDAG(RpcController controller, SubmitDAGRequestProto request) throws ServiceException { - String user = getRPCUserName(); - if (!real.getACLManager().checkAMModifyAccess(user, getRPCUserGroups())) { + UserGroupInformation user = getRPCUser(); + if (!real.getACLManager().checkAMModifyAccess(user)) { throw new AccessControlException("User " + user + " cannot perform AM modify operation"); } try{ @@ -181,8 +173,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public ShutdownSessionResponseProto shutdownSession(RpcController arg0, ShutdownSessionRequestProto arg1) throws ServiceException { - String user = getRPCUserName(); - if (!real.getACLManager().checkAMModifyAccess(user, getRPCUserGroups())) { + UserGroupInformation user = getRPCUser(); + if (!real.getACLManager().checkAMModifyAccess(user)) { throw new AccessControlException("User " + user + " cannot perform AM modify operation"); } real.shutdownAM(); @@ -192,8 +184,8 @@ public class DAGClientAMProtocolBlockingPBServerImpl implements DAGClientAMProto @Override public GetAMStatusResponseProto getAMStatus(RpcController controller, GetAMStatusRequestProto request) throws ServiceException { - String user = getRPCUserName(); - if (!real.getACLManager().checkAMViewAccess(user, getRPCUserGroups())) { + UserGroupInformation user = getRPCUser(); + if (!real.getACLManager().checkAMViewAccess(user)) { throw new AccessControlException("User " + user + " cannot perform AM view operation"); } try {