Beispiel #1
0
        /// <summary>
        /// Utility method to verify if the current user has access based on the
        /// passed
        /// <see cref="Org.Apache.Hadoop.Security.Authorize.AccessControlList"/>
        /// </summary>
        /// <param name="authorizer">
        /// the
        /// <see cref="Org.Apache.Hadoop.Security.Authorize.AccessControlList"/>
        /// to check against
        /// </param>
        /// <param name="method">the method name to be logged</param>
        /// <param name="module">like AdminService or NodeLabelManager</param>
        /// <param name="Log">the logger to use</param>
        /// <returns>
        ///
        /// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
        /// of the current user
        /// </returns>
        /// <exception cref="System.IO.IOException"/>
        public static UserGroupInformation VerifyAdminAccess(YarnAuthorizationProvider authorizer
                                                             , string method, string module, Log Log)
        {
            UserGroupInformation user;

            try
            {
                user = UserGroupInformation.GetCurrentUser();
            }
            catch (IOException ioe)
            {
                Log.Warn("Couldn't get current user", ioe);
                RMAuditLogger.LogFailure("UNKNOWN", method, string.Empty, "AdminService", "Couldn't get current user"
                                         );
                throw;
            }
            if (!authorizer.IsAdmin(user))
            {
                Log.Warn("User " + user.GetShortUserName() + " doesn't have permission" + " to call '"
                         + method + "'");
                RMAuditLogger.LogFailure(user.GetShortUserName(), method, string.Empty, module, RMAuditLogger.AuditConstants
                                         .UnauthorizedUser);
                throw new AccessControlException("User " + user.GetShortUserName() + " doesn't have permission"
                                                 + " to call '" + method + "'");
            }
            if (Log.IsTraceEnabled())
            {
                Log.Trace(method + " invoked by user " + user.GetShortUserName());
            }
            return(user);
        }
Beispiel #2
0
 public virtual bool CheckAccess(UserGroupInformation user)
 {
     // make sure only admin can invoke
     // this method
     if (authorizer.IsAdmin(user))
     {
         return(true);
     }
     return(false);
 }
Beispiel #3
0
        /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
        private void CheckAcls(string method)
        {
            UserGroupInformation user;

            try
            {
                user = UserGroupInformation.GetCurrentUser();
            }
            catch (IOException ioe)
            {
                Log.Warn("Couldn't get current user", ioe);
                throw RPCUtil.GetRemoteException(ioe);
            }
            if (!authorizer.IsAdmin(user))
            {
                Log.Warn("User " + user.GetShortUserName() + " doesn't have permission" + " to call '"
                         + method + "'");
                throw RPCUtil.GetRemoteException(new AccessControlException("User " + user.GetShortUserName
                                                                                () + " doesn't have permission" + " to call '" + method + "'"));
            }
            Log.Info("SCM Admin: " + method + " invoked by user " + user.GetShortUserName());
        }