YARN-4833. For Queue AccessControlException client retries multiple times on both RM. Contributed by Bibin A Chundatt

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java

@@ -285,7 +285,7 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent>,
   @SuppressWarnings("unchecked")
   protected void submitApplication(
       ApplicationSubmissionContext submissionContext, long submitTime,
-      String user) throws YarnException, AccessControlException {
+      String user) throws YarnException {
     ApplicationId applicationId = submissionContext.getApplicationId();
 
     RMAppImpl application =
@@ -334,8 +334,7 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent>,
 
   private RMAppImpl createAndPopulateNewRMApp(
       ApplicationSubmissionContext submissionContext, long submitTime,
-      String user, boolean isRecovery)
-      throws YarnException, AccessControlException {
+      String user, boolean isRecovery) throws YarnException {
     // Do queue mapping
     if (!isRecovery) {
       if (rmContext.getQueuePlacementManager() != null) {
@@ -378,9 +377,9 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent>,
                   SchedulerUtils.toAccessType(QueueACL.ADMINISTER_QUEUE),
                   applicationId.toString(), appName, Server.getRemoteAddress(),
                   null))) {
-        throw new AccessControlException(
+        throw RPCUtil.getRemoteException(new AccessControlException(
             "User " + user + " does not have permission to submit "
-                + applicationId + " to queue " + submissionContext.getQueue());
+                + applicationId + " to queue " + submissionContext.getQueue()));
       }
     }
 

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestAppManager.java

@@ -39,14 +39,18 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.Credentials;
 import org.apache.hadoop.service.Service;
 import org.apache.hadoop.yarn.MockApps;
+import org.apache.hadoop.yarn.api.protocolrecords.SubmitApplicationRequest;
 import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
 import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
+import org.apache.hadoop.yarn.api.records.Priority;
 import org.apache.hadoop.yarn.api.records.Resource;
+import org.apache.hadoop.yarn.api.records.ResourceRequest;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.event.AsyncDispatcher;
 import org.apache.hadoop.yarn.event.Dispatcher;
@@ -69,8 +73,10 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.AMLivelinessM
 import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.ContainerAllocationExpirer;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
+import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
 import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
+import org.apache.hadoop.yarn.util.Records;
 import org.apache.hadoop.yarn.util.resource.ResourceCalculator;
 import org.apache.hadoop.yarn.util.resource.Resources;
 import org.junit.After;
@@ -275,6 +281,43 @@ public class TestAppManager{
       isA(RMApp.class));
   }
 
+  @Test
+  public void testQueueSubmitWithNoPermission() throws IOException {
+    YarnConfiguration conf = new YarnConfiguration();
+    conf.set(YarnConfiguration.RM_SCHEDULER,
+        CapacityScheduler.class.getCanonicalName());
+    conf.set("yarn.scheduler.capacity.root.acl_submit_applications", " ");
+    conf.set("yarn.scheduler.capacity.root.acl_administer_queue", " ");
+
+    conf.set("yarn.scheduler.capacity.root.default.acl_submit_applications",
+        " ");
+    conf.set("yarn.scheduler.capacity.root.default.acl_administer_queue", " ");
+    conf.set(YarnConfiguration.YARN_ACL_ENABLE, "true");
+    MockRM mockRM = new MockRM(conf);
+    ClientRMService rmService = mockRM.getClientRMService();
+    SubmitApplicationRequest req =
+        Records.newRecord(SubmitApplicationRequest.class);
+    ApplicationSubmissionContext sub =
+        Records.newRecord(ApplicationSubmissionContext.class);
+    sub.setApplicationId(appId);
+    ResourceRequest resReg =
+        ResourceRequest.newInstance(Priority.newInstance(0),
+            ResourceRequest.ANY, Resource.newInstance(1024, 1), 1);
+    sub.setAMContainerResourceRequest(resReg);
+    req.setApplicationSubmissionContext(sub);
+    try {
+      rmService.submitApplication(req);
+    } catch (Exception e) {
+      if (e instanceof YarnException) {
+        Assert.assertTrue(e.getCause() instanceof AccessControlException);
+      } else {
+        Assert.fail("Yarn exception is expected");
+      }
+    } finally {
+      mockRM.close();
+    }
+  }
+
   @Test
   public void testRMAppRetireSome() throws Exception {
     long now = System.currentTimeMillis();