Ejemplo n.º 1
0
        /// <summary>
        /// Construct the jobACLs from the configuration so that they can be kept in
        /// the memory.
        /// </summary>
        /// <remarks>
        /// Construct the jobACLs from the configuration so that they can be kept in
        /// the memory. If authorization is disabled on the JT, nothing is constructed
        /// and an empty map is returned.
        /// </remarks>
        /// <returns>JobACL to AccessControlList map.</returns>
        public virtual IDictionary <JobACL, AccessControlList> ConstructJobACLs(Configuration
                                                                                conf)
        {
            IDictionary <JobACL, AccessControlList> acls = new Dictionary <JobACL, AccessControlList
                                                                           >();

            // Don't construct anything if authorization is disabled.
            if (!AreACLsEnabled())
            {
                return(acls);
            }
            foreach (JobACL aclName in JobACL.Values())
            {
                string aclConfigName = aclName.GetAclName();
                string aclConfigured = conf.Get(aclConfigName);
                if (aclConfigured == null)
                {
                    // If ACLs are not configured at all, we grant no access to anyone. So
                    // jobOwner and cluster administrator _only_ can do 'stuff'
                    aclConfigured = " ";
                }
                acls[aclName] = new AccessControlList(aclConfigured);
            }
            return(acls);
        }
Ejemplo n.º 2
0
            /// <exception cref="System.IO.IOException"/>
            private Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job VerifyAndGetJob(JobId jobID, bool
                                                                               exceptionThrow)
            {
                UserGroupInformation loginUgi = null;

                Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job = null;
                try
                {
                    loginUgi = UserGroupInformation.GetLoginUser();
                    job      = loginUgi.DoAs(new _PrivilegedExceptionAction_205(this, jobID));
                }
                catch (Exception e)
                {
                    throw new IOException(e);
                }
                if (job == null && exceptionThrow)
                {
                    throw new IOException("Unknown Job " + jobID);
                }
                if (job != null)
                {
                    JobACL operation = JobACL.ViewJob;
                    this.CheckAccess(job, operation);
                }
                return(job);
            }
Ejemplo n.º 3
0
            /// <exception cref="System.IO.IOException"/>
            private Task VerifyAndGetTask(TaskId taskID, JobACL accessType)
            {
                Task task = this.VerifyAndGetJob(taskID.GetJobId(), accessType, true).GetTask(taskID
                                                                                              );

                if (task == null)
                {
                    throw new IOException("Unknown Task " + taskID);
                }
                return(task);
            }
Ejemplo n.º 4
0
            /// <exception cref="System.IO.IOException"/>
            private TaskAttempt VerifyAndGetAttempt(TaskAttemptId attemptID, JobACL accessType
                                                    )
            {
                TaskAttempt attempt = this.VerifyAndGetTask(attemptID.GetTaskId(), accessType).GetAttempt
                                          (attemptID);

                if (attempt == null)
                {
                    throw new IOException("Unknown TaskAttempt " + attemptID);
                }
                return(attempt);
            }
Ejemplo n.º 5
0
            /// <exception cref="System.IO.IOException"/>
            private void CheckAccess(Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job, JobACL jobOperation
                                     )
            {
                UserGroupInformation callerUGI;

                callerUGI = UserGroupInformation.GetCurrentUser();
                if (!job.CheckAccess(callerUGI, jobOperation))
                {
                    throw new IOException(new AccessControlException("User " + callerUGI.GetShortUserName
                                                                         () + " cannot perform operation " + jobOperation.ToString() + " on " + job.GetID
                                                                         ()));
                }
            }
Ejemplo n.º 6
0
        public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation
                                        )
        {
            IDictionary <JobACL, AccessControlList> jobACLs = jobInfo.GetJobACLs();
            AccessControlList jobACL = jobACLs[jobOperation];

            if (jobACL == null)
            {
                return(true);
            }
            return(aclsMgr.CheckAccess(callerUGI, jobOperation, jobInfo.GetUsername(), jobACL
                                       ));
        }
Ejemplo n.º 7
0
        /// <summary>Get the acls configured for the job</summary>
        public virtual IDictionary <JobACL, AccessControlList> GetJobAcls()
        {
            IDictionary <JobACL, AccessControlList> jobAcls = new Dictionary <JobACL, AccessControlList
                                                                              >();

            foreach (JobACL jobACL in JobACL.Values())
            {
                Utf8 jobACLsUtf8 = new Utf8(jobACL.GetAclName());
                if (datum.acls.Contains(jobACLsUtf8))
                {
                    jobAcls[jobACL] = new AccessControlList(datum.acls[jobACLsUtf8].ToString());
                }
            }
            return(jobAcls);
        }
Ejemplo n.º 8
0
        /// <summary>
        /// If authorization is enabled, checks whether the user (in the callerUGI)
        /// is authorized to perform the operation specified by 'jobOperation' on
        /// the job by checking if the user is jobOwner or part of job ACL for the
        /// specific job operation.
        /// </summary>
        /// <remarks>
        /// If authorization is enabled, checks whether the user (in the callerUGI)
        /// is authorized to perform the operation specified by 'jobOperation' on
        /// the job by checking if the user is jobOwner or part of job ACL for the
        /// specific job operation.
        /// <ul>
        /// <li>The owner of the job can do any operation on the job</li>
        /// <li>For all other users/groups job-acls are checked</li>
        /// </ul>
        /// </remarks>
        /// <param name="callerUGI"/>
        /// <param name="jobOperation"/>
        /// <param name="jobOwner"/>
        /// <param name="jobACL"/>
        public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation
                                        , string jobOwner, AccessControlList jobACL)
        {
            if (Log.IsDebugEnabled())
            {
                Log.Debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: " + jobOperation
                          .ToString() + " user: " + callerUGI.GetShortUserName());
            }
            string user = callerUGI.GetShortUserName();

            if (!AreACLsEnabled())
            {
                return(true);
            }
            // Allow Job-owner for any operation on the job
            if (IsMRAdmin(callerUGI) || user.Equals(jobOwner) || jobACL.IsUserAllowed(callerUGI
                                                                                      ))
            {
                return(true);
            }
            return(false);
        }
Ejemplo n.º 9
0
 public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation
                                 )
 {
     return(true);
 }
Ejemplo n.º 10
0
 public override bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation
                                  )
 {
     return(job.CheckAccess(callerUGI, jobOperation));
 }
Ejemplo n.º 11
0
            /// <exception cref="System.IO.IOException"/>
            private Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job VerifyAndGetJob(JobId jobID, JobACL
                                                                               accessType, bool exceptionThrow)
            {
                Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job = this._enclosing.appContext.GetJob
                                                                     (jobID);
                if (job == null && exceptionThrow)
                {
                    throw new IOException("Unknown Job " + jobID);
                }
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

                if (job != null && !job.CheckAccess(ugi, accessType))
                {
                    throw new AccessControlException("User " + ugi.GetShortUserName() + " cannot perform operation "
                                                     + accessType.ToString() + " on " + jobID);
                }
                return(job);
            }
Ejemplo n.º 12
0
 public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation
                                 )
 {
     return(aclsMgr.CheckAccess(callerUGI, jobOperation, this.GetUserName(), jobAcls[jobOperation
                                ]));
 }
Ejemplo n.º 13
0
 internal Operation(QueueACL qACL, JobACL jobACL)
 {
     this.qACLNeeded   = qACL;
     this.jobACLNeeded = jobACL;
 }