/// <summary> /// Construct the jobACLs from the configuration so that they can be kept in /// the memory. /// </summary> /// <remarks> /// Construct the jobACLs from the configuration so that they can be kept in /// the memory. If authorization is disabled on the JT, nothing is constructed /// and an empty map is returned. /// </remarks> /// <returns>JobACL to AccessControlList map.</returns> public virtual IDictionary <JobACL, AccessControlList> ConstructJobACLs(Configuration conf) { IDictionary <JobACL, AccessControlList> acls = new Dictionary <JobACL, AccessControlList >(); // Don't construct anything if authorization is disabled. if (!AreACLsEnabled()) { return(acls); } foreach (JobACL aclName in JobACL.Values()) { string aclConfigName = aclName.GetAclName(); string aclConfigured = conf.Get(aclConfigName); if (aclConfigured == null) { // If ACLs are not configured at all, we grant no access to anyone. So // jobOwner and cluster administrator _only_ can do 'stuff' aclConfigured = " "; } acls[aclName] = new AccessControlList(aclConfigured); } return(acls); }
/// <exception cref="System.IO.IOException"/> private Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job VerifyAndGetJob(JobId jobID, bool exceptionThrow) { UserGroupInformation loginUgi = null; Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job = null; try { loginUgi = UserGroupInformation.GetLoginUser(); job = loginUgi.DoAs(new _PrivilegedExceptionAction_205(this, jobID)); } catch (Exception e) { throw new IOException(e); } if (job == null && exceptionThrow) { throw new IOException("Unknown Job " + jobID); } if (job != null) { JobACL operation = JobACL.ViewJob; this.CheckAccess(job, operation); } return(job); }
/// <exception cref="System.IO.IOException"/> private Task VerifyAndGetTask(TaskId taskID, JobACL accessType) { Task task = this.VerifyAndGetJob(taskID.GetJobId(), accessType, true).GetTask(taskID ); if (task == null) { throw new IOException("Unknown Task " + taskID); } return(task); }
/// <exception cref="System.IO.IOException"/> private TaskAttempt VerifyAndGetAttempt(TaskAttemptId attemptID, JobACL accessType ) { TaskAttempt attempt = this.VerifyAndGetTask(attemptID.GetTaskId(), accessType).GetAttempt (attemptID); if (attempt == null) { throw new IOException("Unknown TaskAttempt " + attemptID); } return(attempt); }
/// <exception cref="System.IO.IOException"/> private void CheckAccess(Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job, JobACL jobOperation ) { UserGroupInformation callerUGI; callerUGI = UserGroupInformation.GetCurrentUser(); if (!job.CheckAccess(callerUGI, jobOperation)) { throw new IOException(new AccessControlException("User " + callerUGI.GetShortUserName () + " cannot perform operation " + jobOperation.ToString() + " on " + job.GetID ())); } }
public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation ) { IDictionary <JobACL, AccessControlList> jobACLs = jobInfo.GetJobACLs(); AccessControlList jobACL = jobACLs[jobOperation]; if (jobACL == null) { return(true); } return(aclsMgr.CheckAccess(callerUGI, jobOperation, jobInfo.GetUsername(), jobACL )); }
/// <summary>Get the acls configured for the job</summary> public virtual IDictionary <JobACL, AccessControlList> GetJobAcls() { IDictionary <JobACL, AccessControlList> jobAcls = new Dictionary <JobACL, AccessControlList >(); foreach (JobACL jobACL in JobACL.Values()) { Utf8 jobACLsUtf8 = new Utf8(jobACL.GetAclName()); if (datum.acls.Contains(jobACLsUtf8)) { jobAcls[jobACL] = new AccessControlList(datum.acls[jobACLsUtf8].ToString()); } } return(jobAcls); }
/// <summary> /// If authorization is enabled, checks whether the user (in the callerUGI) /// is authorized to perform the operation specified by 'jobOperation' on /// the job by checking if the user is jobOwner or part of job ACL for the /// specific job operation. /// </summary> /// <remarks> /// If authorization is enabled, checks whether the user (in the callerUGI) /// is authorized to perform the operation specified by 'jobOperation' on /// the job by checking if the user is jobOwner or part of job ACL for the /// specific job operation. /// <ul> /// <li>The owner of the job can do any operation on the job</li> /// <li>For all other users/groups job-acls are checked</li> /// </ul> /// </remarks> /// <param name="callerUGI"/> /// <param name="jobOperation"/> /// <param name="jobOwner"/> /// <param name="jobACL"/> public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation , string jobOwner, AccessControlList jobACL) { if (Log.IsDebugEnabled()) { Log.Debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: " + jobOperation .ToString() + " user: " + callerUGI.GetShortUserName()); } string user = callerUGI.GetShortUserName(); if (!AreACLsEnabled()) { return(true); } // Allow Job-owner for any operation on the job if (IsMRAdmin(callerUGI) || user.Equals(jobOwner) || jobACL.IsUserAllowed(callerUGI )) { return(true); } return(false); }
public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation ) { return(true); }
public override bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation ) { return(job.CheckAccess(callerUGI, jobOperation)); }
/// <exception cref="System.IO.IOException"/> private Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job VerifyAndGetJob(JobId jobID, JobACL accessType, bool exceptionThrow) { Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job = this._enclosing.appContext.GetJob (jobID); if (job == null && exceptionThrow) { throw new IOException("Unknown Job " + jobID); } UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); if (job != null && !job.CheckAccess(ugi, accessType)) { throw new AccessControlException("User " + ugi.GetShortUserName() + " cannot perform operation " + accessType.ToString() + " on " + jobID); } return(job); }
public virtual bool CheckAccess(UserGroupInformation callerUGI, JobACL jobOperation ) { return(aclsMgr.CheckAccess(callerUGI, jobOperation, this.GetUserName(), jobAcls[jobOperation ])); }
internal Operation(QueueACL qACL, JobACL jobACL) { this.qACLNeeded = qACL; this.jobACLNeeded = jobACL; }