tez-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hit...@apache.org
Subject tez git commit: TEZ-2135. ACL checks handled incorrectly in AMWebController. (hitesh)
Date Tue, 24 Feb 2015 05:45:18 GMT
Repository: tez
Updated Branches:
  refs/heads/master c9a74d77b -> c78feed0d


TEZ-2135. ACL checks handled incorrectly in AMWebController. (hitesh)


Project: http://git-wip-us.apache.org/repos/asf/tez/repo
Commit: http://git-wip-us.apache.org/repos/asf/tez/commit/c78feed0
Tree: http://git-wip-us.apache.org/repos/asf/tez/tree/c78feed0
Diff: http://git-wip-us.apache.org/repos/asf/tez/diff/c78feed0

Branch: refs/heads/master
Commit: c78feed0d0954650de64b4a514a5218062cdcb6a
Parents: c9a74d7
Author: Hitesh Shah <hitesh@apache.org>
Authored: Mon Feb 23 21:45:05 2015 -0800
Committer: Hitesh Shah <hitesh@apache.org>
Committed: Mon Feb 23 21:45:05 2015 -0800

----------------------------------------------------------------------
 CHANGES.txt                                     |  1 +
 .../apache/tez/common/security/ACLManager.java  |  4 ++
 .../apache/tez/dag/app/web/AMWebController.java | 14 +++---
 .../tez/dag/app/web/TestAMWebController.java    | 47 ++++++++++++++++++--
 4 files changed, 57 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/CHANGES.txt
----------------------------------------------------------------------
diff --git a/CHANGES.txt b/CHANGES.txt
index c2d5e75..bf39b98 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -71,6 +71,7 @@ Release 0.6.1: Unreleased
 INCOMPATIBLE CHANGES
 
 ALL CHANGES:
+  TEZ-2135. ACL checks handled incorrectly in AMWebController.
   TEZ-1990. Tez UI: DAG details page shows Nan for end time when a DAG is running.
   TEZ-2116. Tez UI: dags page filter does not work if more than one filter is specified.
   TEZ-2106. TEZ UI: Display data load time, and add a refresh button for items that can be
refreshed.

http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
----------------------------------------------------------------------
diff --git a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
index c6a8f26..f91812e 100644
--- a/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
+++ b/tez-api/src/main/java/org/apache/tez/common/security/ACLManager.java
@@ -93,6 +93,10 @@ public class ACLManager {
     }
   }
 
+  public boolean isAclsEnabled() {
+    return aclsEnabled;
+  }
+
   @VisibleForTesting
   boolean checkAccess(UserGroupInformation ugi, ACLType aclType) {
 

http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java b/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
index b3e404a..334df0b 100644
--- a/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
+++ b/tez-dag/src/main/java/org/apache/tez/dag/app/web/AMWebController.java
@@ -139,6 +139,14 @@ public class AMWebController extends Controller {
   }
 
   @VisibleForTesting
+  static boolean _hasAccess(UserGroupInformation callerUGI, AppContext appContext) {
+    if (callerUGI == null) {
+      // Allow anonymous access iff acls disabled
+      return !appContext.getAMACLManager().isAclsEnabled();
+    }
+    return appContext.getAMACLManager().checkDAGViewAccess(callerUGI);
+  }
+
   public boolean hasAccess() {
     String remoteUser = request().getRemoteUser();
     UserGroupInformation callerUGI = null;
@@ -146,11 +154,7 @@ public class AMWebController extends Controller {
       callerUGI = UserGroupInformation.createRemoteUser(remoteUser);
     }
 
-    if (callerUGI != null && appContext.getAMACLManager().checkDAGViewAccess(callerUGI))
{
-      return false;
-    }
-
-    return true;
+    return _hasAccess(callerUGI, appContext);
   }
 
   public void getDagProgress() {

http://git-wip-us.apache.org/repos/asf/tez/blob/c78feed0/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
----------------------------------------------------------------------
diff --git a/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java b/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
index 588eb21..fc17d3e 100644
--- a/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
+++ b/tez-dag/src/test/java/org/apache/tez/dag/app/web/TestAMWebController.java
@@ -35,7 +35,9 @@ import javax.servlet.http.HttpServletResponse;
 import java.util.Map;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.yarn.webapp.Controller;
+import org.apache.tez.common.security.ACLManager;
 import org.apache.tez.dag.api.TezConfiguration;
 import org.apache.tez.dag.app.AppContext;
 import org.apache.tez.dag.app.dag.DAG;
@@ -53,7 +55,8 @@ public class TestAMWebController {
   AppContext mockAppContext;
   Controller.RequestContext mockRequestContext;
   HttpServletResponse mockResponse;
-  HttpServletRequest mockRequst;
+  HttpServletRequest mockRequest;
+  String[] userGroups = {};
 
   @Before
   public void setup() {
@@ -65,7 +68,7 @@ public class TestAMWebController {
     when(mockAppContext.getAMConf()).thenReturn(conf);
     mockRequestContext = mock(Controller.RequestContext.class);
     mockResponse = mock(HttpServletResponse.class);
-    mockRequst = mock(HttpServletRequest.class);
+    mockRequest = mock(HttpServletRequest.class);
   }
 
   @Test(timeout = 5000)
@@ -92,8 +95,8 @@ public class TestAMWebController {
     doReturn(false).when(spy).hasAccess();
     doNothing().when(spy).setCorsHeaders();
     doReturn(mockResponse).when(spy).response();
-    doReturn(mockRequst).when(spy).request();
-    doReturn("dummyuser").when(mockRequst).getRemoteUser();
+    doReturn(mockRequest).when(spy).request();
+    doReturn("dummyuser").when(mockRequest).getRemoteUser();
 
     spy.getDagProgress();
     verify(mockResponse).sendError(eq(HttpServletResponse.SC_UNAUTHORIZED), anyString());
@@ -166,4 +169,40 @@ public class TestAMWebController {
     Assert.assertTrue("vertex_1422960590892_0007_42_43".equals(progressInfo.getId()));
     Assert.assertEquals(66.0f, progressInfo.getProgress(), 0.1);
   }
+
+  @Test (timeout = 5000)
+  public void testHasAccessWithAclsDisabled() {
+    Configuration conf = new Configuration(false);
+    conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, false);
+    ACLManager aclManager = new ACLManager("amUser", conf);
+
+    when(mockAppContext.getAMACLManager()).thenReturn(aclManager);
+
+    Assert.assertEquals(true, AMWebController._hasAccess(null, mockAppContext));
+
+    UserGroupInformation mockUser = UserGroupInformation.createUserForTesting(
+        "mockUser", userGroups);
+    Assert.assertEquals(true, AMWebController._hasAccess(mockUser, mockAppContext));
+  }
+
+  @Test (timeout = 5000)
+  public void testHasAccess() {
+    Configuration conf = new Configuration(false);
+    conf.setBoolean(TezConfiguration.TEZ_AM_ACLS_ENABLED, true);
+    ACLManager aclManager = new ACLManager("amUser", conf);
+
+    when(mockAppContext.getAMACLManager()).thenReturn(aclManager);
+
+    Assert.assertEquals(false, AMWebController._hasAccess(null, mockAppContext));
+
+    UserGroupInformation mockUser = UserGroupInformation.createUserForTesting(
+        "mockUser", userGroups);
+    Assert.assertEquals(false, AMWebController._hasAccess(mockUser, mockAppContext));
+
+    UserGroupInformation testUser = UserGroupInformation.createUserForTesting(
+        "amUser", userGroups);
+    Assert.assertEquals(true, AMWebController._hasAccess(testUser, mockAppContext));
+  }
+
+
 }


Mime
View raw message