/// <summary> /// Utility method to verify if the current user has access based on the /// passed /// <see cref="Org.Apache.Hadoop.Security.Authorize.AccessControlList"/> /// </summary> /// <param name="authorizer"> /// the /// <see cref="Org.Apache.Hadoop.Security.Authorize.AccessControlList"/> /// to check against /// </param> /// <param name="method">the method name to be logged</param> /// <param name="module">like AdminService or NodeLabelManager</param> /// <param name="Log">the logger to use</param> /// <returns> /// /// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/> /// of the current user /// </returns> /// <exception cref="System.IO.IOException"/> public static UserGroupInformation VerifyAdminAccess(YarnAuthorizationProvider authorizer , string method, string module, Log Log) { UserGroupInformation user; try { user = UserGroupInformation.GetCurrentUser(); } catch (IOException ioe) { Log.Warn("Couldn't get current user", ioe); RMAuditLogger.LogFailure("UNKNOWN", method, string.Empty, "AdminService", "Couldn't get current user" ); throw; } if (!authorizer.IsAdmin(user)) { Log.Warn("User " + user.GetShortUserName() + " doesn't have permission" + " to call '" + method + "'"); RMAuditLogger.LogFailure(user.GetShortUserName(), method, string.Empty, module, RMAuditLogger.AuditConstants .UnauthorizedUser); throw new AccessControlException("User " + user.GetShortUserName() + " doesn't have permission" + " to call '" + method + "'"); } if (Log.IsTraceEnabled()) { Log.Trace(method + " invoked by user " + user.GetShortUserName()); } return(user); }
public virtual bool CheckAccess(UserGroupInformation user) { // make sure only admin can invoke // this method if (authorizer.IsAdmin(user)) { return(true); } return(false); }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> private void CheckAcls(string method) { UserGroupInformation user; try { user = UserGroupInformation.GetCurrentUser(); } catch (IOException ioe) { Log.Warn("Couldn't get current user", ioe); throw RPCUtil.GetRemoteException(ioe); } if (!authorizer.IsAdmin(user)) { Log.Warn("User " + user.GetShortUserName() + " doesn't have permission" + " to call '" + method + "'"); throw RPCUtil.GetRemoteException(new AccessControlException("User " + user.GetShortUserName () + " doesn't have permission" + " to call '" + method + "'")); } Log.Info("SCM Admin: " + method + " invoked by user " + user.GetShortUserName()); }