/// <summary>
/// Utility method to verify if the current user has access based on the
/// passed
/// <see cref="Org.Apache.Hadoop.Security.Authorize.AccessControlList"/>
/// </summary>
/// <param name="authorizer">
/// the
/// <see cref="Org.Apache.Hadoop.Security.Authorize.AccessControlList"/>
/// to check against
/// </param>
/// <param name="method">the method name to be logged</param>
/// <param name="module">like AdminService or NodeLabelManager</param>
/// <param name="Log">the logger to use</param>
/// <returns>
///
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// of the current user
/// </returns>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation VerifyAdminAccess(YarnAuthorizationProvider authorizer
, string method, string module, Log Log)
{
UserGroupInformation user;
try
{
user = UserGroupInformation.GetCurrentUser();
}
catch (IOException ioe)
{
Log.Warn("Couldn't get current user", ioe);
RMAuditLogger.LogFailure("UNKNOWN", method, string.Empty, "AdminService", "Couldn't get current user"
);
throw;
}
if (!authorizer.IsAdmin(user))
{
Log.Warn("User " + user.GetShortUserName() + " doesn't have permission" + " to call '"
+ method + "'");
RMAuditLogger.LogFailure(user.GetShortUserName(), method, string.Empty, module, RMAuditLogger.AuditConstants
.UnauthorizedUser);
throw new AccessControlException("User " + user.GetShortUserName() + " doesn't have permission"
+ " to call '" + method + "'");
}
if (Log.IsTraceEnabled())
{
Log.Trace(method + " invoked by user " + user.GetShortUserName());
}
return(user);
}
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
if (rmContext.IsHAEnabled())
{
autoFailoverEnabled = HAUtil.IsAutomaticFailoverEnabled(conf);
if (autoFailoverEnabled)
{
if (HAUtil.IsAutomaticFailoverEmbedded(conf))
{
embeddedElector = CreateEmbeddedElectorService();
AddIfService(embeddedElector);
}
}
}
masterServiceBindAddress = conf.GetSocketAddr(YarnConfiguration.RmBindHost, YarnConfiguration
.RmAdminAddress, YarnConfiguration.DefaultRmAdminAddress, YarnConfiguration.DefaultRmAdminPort
);
daemonUser = UserGroupInformation.GetCurrentUser();
authorizer = YarnAuthorizationProvider.GetInstance(conf);
authorizer.SetAdmins(GetAdminAclList(conf), UserGroupInformation.GetCurrentUser()
);
rmId = conf.Get(YarnConfiguration.RmHaId);
base.ServiceInit(conf);
}
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
base.ServiceInit(conf);
authorizer = YarnAuthorizationProvider.GetInstance(conf);
}
public virtual void TestQueueAcl()
{
SetupMultiLevelQueues(csConf);
csConf.SetAcl(CapacitySchedulerConfiguration.Root, QueueACL.SubmitApplications, " "
);
csConf.SetAcl(CapacitySchedulerConfiguration.Root, QueueACL.AdministerQueue, " ");
string QC = CapacitySchedulerConfiguration.Root + "." + C;
csConf.SetAcl(QC, QueueACL.AdministerQueue, "*");
string QC11 = QC + "." + C1 + "." + C11;
csConf.SetAcl(QC11, QueueACL.SubmitApplications, "*");
IDictionary <string, CSQueue> queues = new Dictionary <string, CSQueue>();
CSQueue root = CapacityScheduler.ParseQueue(csContext, csConf, null, CapacitySchedulerConfiguration
.Root, queues, queues, TestUtils.spyHook);
YarnAuthorizationProvider authorizer = YarnAuthorizationProvider.GetInstance(conf
);
CapacityScheduler.SetQueueAcls(authorizer, queues);
UserGroupInformation user = UserGroupInformation.GetCurrentUser();
// Setup queue configs
ParentQueue c = (ParentQueue)queues[C];
ParentQueue c1 = (ParentQueue)queues[C1];
ParentQueue c11 = (ParentQueue)queues[C11];
ParentQueue c111 = (ParentQueue)queues[C111];
NUnit.Framework.Assert.IsFalse(root.HasAccess(QueueACL.AdministerQueue, user));
IList <QueueUserACLInfo> aclInfos = root.GetQueueUserAclInfo(user);
NUnit.Framework.Assert.IsFalse(HasQueueACL(aclInfos, QueueACL.AdministerQueue, "root"
));
NUnit.Framework.Assert.IsFalse(root.HasAccess(QueueACL.SubmitApplications, user));
NUnit.Framework.Assert.IsFalse(HasQueueACL(aclInfos, QueueACL.SubmitApplications,
"root"));
// c has no SA, but QA
NUnit.Framework.Assert.IsTrue(c.HasAccess(QueueACL.AdministerQueue, user));
NUnit.Framework.Assert.IsTrue(HasQueueACL(aclInfos, QueueACL.AdministerQueue, "c"
));
NUnit.Framework.Assert.IsFalse(c.HasAccess(QueueACL.SubmitApplications, user));
NUnit.Framework.Assert.IsFalse(HasQueueACL(aclInfos, QueueACL.SubmitApplications,
"c"));
//Queue c1 has QA, no SA (gotten perm from parent)
NUnit.Framework.Assert.IsTrue(c1.HasAccess(QueueACL.AdministerQueue, user));
NUnit.Framework.Assert.IsTrue(HasQueueACL(aclInfos, QueueACL.AdministerQueue, "c1"
));
NUnit.Framework.Assert.IsFalse(c1.HasAccess(QueueACL.SubmitApplications, user));
NUnit.Framework.Assert.IsFalse(HasQueueACL(aclInfos, QueueACL.SubmitApplications,
"c1"));
//Queue c11 has permissions from parent queue and SA
NUnit.Framework.Assert.IsTrue(c11.HasAccess(QueueACL.AdministerQueue, user));
NUnit.Framework.Assert.IsTrue(HasQueueACL(aclInfos, QueueACL.AdministerQueue, "c11"
));
NUnit.Framework.Assert.IsTrue(c11.HasAccess(QueueACL.SubmitApplications, user));
NUnit.Framework.Assert.IsTrue(HasQueueACL(aclInfos, QueueACL.SubmitApplications,
"c11"));
//Queue c111 has SA and AQ, both from parent
NUnit.Framework.Assert.IsTrue(c111.HasAccess(QueueACL.AdministerQueue, user));
NUnit.Framework.Assert.IsTrue(HasQueueACL(aclInfos, QueueACL.AdministerQueue, "c111"
));
NUnit.Framework.Assert.IsTrue(c111.HasAccess(QueueACL.SubmitApplications, user));
NUnit.Framework.Assert.IsTrue(HasQueueACL(aclInfos, QueueACL.SubmitApplications,
"c111"));
Org.Mockito.Mockito.Reset(c);
}
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation VerifyAdminAccess(YarnAuthorizationProvider authorizer
, string method, Log Log)
{
// by default, this method will use AdminService as module name
return(VerifyAdminAccess(authorizer, method, "AdminService", Log));
}
/// <exception cref="System.IO.IOException"/>
internal virtual void SetupQueueConfigs(Org.Apache.Hadoop.Yarn.Api.Records.Resource
clusterResource)
{
lock (this)
{
// get labels
this.accessibleLabels = csContext.GetConfiguration().GetAccessibleNodeLabels(GetQueuePath
());
this.defaultLabelExpression = csContext.GetConfiguration().GetDefaultNodeLabelExpression
(GetQueuePath());
// inherit from parent if labels not set
if (this.accessibleLabels == null && parent != null)
{
this.accessibleLabels = parent.GetAccessibleNodeLabels();
}
// inherit from parent if labels not set
if (this.defaultLabelExpression == null && parent != null && this.accessibleLabels
.ContainsAll(parent.GetAccessibleNodeLabels()))
{
this.defaultLabelExpression = parent.GetDefaultNodeLabelExpression();
}
// After we setup labels, we can setup capacities
SetupConfigurableCapacities();
this.maximumAllocation = csContext.GetConfiguration().GetMaximumAllocationPerQueue
(GetQueuePath());
authorizer = YarnAuthorizationProvider.GetInstance(csContext.GetConf());
this.state = csContext.GetConfiguration().GetState(GetQueuePath());
this.acls = csContext.GetConfiguration().GetAcls(GetQueuePath());
// Update metrics
CSQueueUtils.UpdateQueueStatistics(resourceCalculator, this, parent, clusterResource
, minimumAllocation);
// Check if labels of this queue is a subset of parent queue, only do this
// when we not root
if (parent != null && parent.GetParent() != null)
{
if (parent.GetAccessibleNodeLabels() != null && !parent.GetAccessibleNodeLabels()
.Contains(RMNodeLabelsManager.Any))
{
// if parent isn't "*", child shouldn't be "*" too
if (this.GetAccessibleNodeLabels().Contains(RMNodeLabelsManager.Any))
{
throw new IOException("Parent's accessible queue is not ANY(*), " + "but child's accessible queue is *"
);
}
else
{
ICollection <string> diff = Sets.Difference(this.GetAccessibleNodeLabels(), parent
.GetAccessibleNodeLabels());
if (!diff.IsEmpty())
{
throw new IOException("Some labels of child queue is not a subset " + "of parent queue, these labels=["
+ StringUtils.Join(diff, ",") + "]");
}
}
}
}
this.reservationsContinueLooking = csContext.GetConfiguration().GetReservationContinueLook
();
this.preemptionDisabled = IsQueueHierarchyPreemptionDisabled(this);
}
}
/// <exception cref="System.Exception"/>
protected override void ServiceInit(Configuration conf)
{
this.clientBindAddress = GetBindAddress(conf);
authorizer = YarnAuthorizationProvider.GetInstance(conf);
base.ServiceInit(conf);
}
