if (!queueManager.hasAccess(queue, operation.qACLNeeded, callerUGI)) {
AuditLogger.logFailure(user, operation.name(),
queueManager.getQueueACL(queue, operation.qACLNeeded).toString(),
targetResource, Constants.UNAUTHORIZED_USER);
throw new AccessControlException("User "
+ callerUGI.getShortUserName() + " cannot perform "
+ "operation " + operation.name() + " on queue " + queue
+ ".\n Please run \"hadoop queue -showacls\" "
+ "command to find the queues you have access to .");
} else {
AuditLogger.logSuccess(user, operation.name(), targetResource);
return;
}
}
// Check if callerUGI is queueAdmin(in some cases only), jobOwner or
// part of job-acl.
// queueManager and queue are null only when called from
// TaskTracker(i.e. from TaskLogServlet) for the operation VIEW_TASK_LOGS.
// Caller of this method takes care of checking if callerUGI is a
// queue administrator for that operation.
if (operation == Operation.VIEW_TASK_LOGS) {
if (jobACLsManager.checkAccess(callerUGI, operation.jobACLNeeded,
jobOwner, jobAcl)) {
AuditLogger.logSuccess(user, operation.name(), targetResource);
return;
}
} else if (queueManager.hasAccess(queue, operation.qACLNeeded, callerUGI) ||
jobACLsManager.checkAccess(callerUGI, operation.jobACLNeeded,
jobOwner, jobAcl)) {
AuditLogger.logSuccess(user, operation.name(), targetResource);
return;
}
AuditLogger.logFailure(user, operation.name(), jobAcl.toString(),
targetResource, Constants.UNAUTHORIZED_USER);
throw new AccessControlException("User "
+ callerUGI.getShortUserName() + " cannot perform operation "
+ operation.name() + " on " + jobId + " that is in the queue "
+ queue);
}