public override YarnProtos.ApplicationACLMapProto Next()
{
ApplicationAccessType key = this.aclsIterator.Next();
return((YarnProtos.ApplicationACLMapProto)YarnProtos.ApplicationACLMapProto.NewBuilder
().SetAcl(this._enclosing._enclosing.applicationACLS[key]).SetAccessType(ProtoUtils
.ConvertToProtoFormat(key)).Build());
}
/// <summary>
/// If authorization is enabled, checks whether the user (in the callerUGI) is
/// authorized to perform the access specified by 'applicationAccessType' on
/// the application by checking if the user is applicationOwner or part of
/// application ACL for the specific access-type.
/// </summary>
/// <remarks>
/// If authorization is enabled, checks whether the user (in the callerUGI) is
/// authorized to perform the access specified by 'applicationAccessType' on
/// the application by checking if the user is applicationOwner or part of
/// application ACL for the specific access-type.
/// <ul>
/// <li>The owner of the application can have all access-types on the
/// application</li>
/// <li>For all other users/groups application-acls are checked</li>
/// </ul>
/// </remarks>
/// <param name="callerUGI"/>
/// <param name="applicationAccessType"/>
/// <param name="applicationOwner"/>
/// <param name="applicationId"/>
public virtual bool CheckAccess(UserGroupInformation callerUGI, ApplicationAccessType
applicationAccessType, string applicationOwner, ApplicationId applicationId)
{
if (Log.IsDebugEnabled())
{
Log.Debug("Verifying access-type " + applicationAccessType + " for " + callerUGI
+ " on application " + applicationId + " owned by " + applicationOwner);
}
string user = callerUGI.GetShortUserName();
if (!AreACLsEnabled())
{
return(true);
}
AccessControlList applicationACL = DefaultYarnAppAcl;
IDictionary <ApplicationAccessType, AccessControlList> acls = this.applicationACLS
[applicationId];
if (acls == null)
{
if (Log.IsDebugEnabled())
{
Log.Debug("ACL not found for application " + applicationId + " owned by " + applicationOwner
+ ". Using default [" + YarnConfiguration.DefaultYarnAppAcl + "]");
}
}
else
{
AccessControlList applicationACLInMap = acls[applicationAccessType];
if (applicationACLInMap != null)
{
applicationACL = applicationACLInMap;
}
else
{
if (Log.IsDebugEnabled())
{
Log.Debug("ACL not found for access-type " + applicationAccessType + " for application "
+ applicationId + " owned by " + applicationOwner + ". Using default [" + YarnConfiguration
.DefaultYarnAppAcl + "]");
}
}
}
// Allow application-owner for any type of access on the application
if (this.adminAclsManager.IsAdmin(callerUGI) || user.Equals(applicationOwner) ||
applicationACL.IsUserAllowed(callerUGI))
{
return(true);
}
return(false);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public virtual bool CheckAccess(UserGroupInformation callerUGI, ApplicationAccessType
applicationAccessType, TimelineEntity entity)
{
if (Log.IsDebugEnabled())
{
Log.Debug("Verifying the access of " + (callerUGI == null ? null : callerUGI.GetShortUserName
()) + " on the timeline entity " + new EntityIdentifier(entity.GetEntityId(), entity
.GetEntityType()));
}
if (!adminAclsManager.AreACLsEnabled())
{
return(true);
}
// find domain owner and acls
TimelineACLsManager.AccessControlListExt aclExt = aclExts[entity.GetDomainId()];
if (aclExt == null)
{
aclExt = LoadDomainFromTimelineStore(entity.GetDomainId());
}
if (aclExt == null)
{
throw new YarnException("Domain information of the timeline entity " + new EntityIdentifier
(entity.GetEntityId(), entity.GetEntityType()) + " doesn't exist.");
}
string owner = aclExt.owner;
AccessControlList domainACL = aclExt.acls[applicationAccessType];
if (domainACL == null)
{
if (Log.IsDebugEnabled())
{
Log.Debug("ACL not found for access-type " + applicationAccessType + " for domain "
+ entity.GetDomainId() + " owned by " + owner + ". Using default [" + YarnConfiguration
.DefaultYarnAppAcl + "]");
}
domainACL = new AccessControlList(YarnConfiguration.DefaultYarnAppAcl);
}
if (callerUGI != null && (adminAclsManager.IsAdmin(callerUGI) || callerUGI.GetShortUserName
().Equals(owner) || domainACL.IsUserAllowed(callerUGI)))
{
return(true);
}
return(false);
}
/// <summary>Returns ACLs for the application.</summary>
/// <remarks>
/// Returns ACLs for the application. An empty map is returned if no ACLs are
/// found.
/// </remarks>
/// <returns>a map of the Application ACLs.</returns>
/// <exception cref="System.IO.IOException"/>
public virtual IDictionary <ApplicationAccessType, string> GetApplicationAcls()
{
// TODO Seek directly to the key once a comparator is specified.
TFile.Reader.Scanner aclScanner = reader.CreateScanner();
AggregatedLogFormat.LogKey key = new AggregatedLogFormat.LogKey();
IDictionary <ApplicationAccessType, string> acls = new Dictionary <ApplicationAccessType
, string>();
while (!aclScanner.AtEnd())
{
TFile.Reader.Scanner.Entry entry = aclScanner.Entry();
key.ReadFields(entry.GetKeyStream());
if (key.ToString().Equals(ApplicationAclKey.ToString()))
{
DataInputStream valueStream = entry.GetValueStream();
while (true)
{
string appAccessOp = null;
string aclString = null;
try
{
appAccessOp = valueStream.ReadUTF();
}
catch (EOFException)
{
// Valid end of stream.
break;
}
try
{
aclString = valueStream.ReadUTF();
}
catch (EOFException e)
{
throw new YarnRuntimeException("Error reading ACLs", e);
}
acls[ApplicationAccessType.ValueOf(appAccessOp)] = aclString;
}
}
aclScanner.Advance();
}
return(acls);
}
public static ApplicationAccessType ConvertFromProtoFormat(YarnProtos.ApplicationAccessTypeProto
e)
{
return(ApplicationAccessType.ValueOf(e.ToString().Replace(AppAccessTypePrefix, string.Empty
)));
}
/*
* ApplicationAccessType
*/
public static YarnProtos.ApplicationAccessTypeProto ConvertToProtoFormat(ApplicationAccessType
e)
{
return(YarnProtos.ApplicationAccessTypeProto.ValueOf(AppAccessTypePrefix + e.ToString
()));
}
