You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by sb...@apache.org on 2016/02/26 14:16:24 UTC
[06/35] ignite git commit: IGNITE-2525: YARN: Added Kerberos
handling. This closes #494.
IGNITE-2525: YARN: Added Kerberos handling. This closes #494.
Project: http://git-wip-us.apache.org/repos/asf/ignite/repo
Commit: http://git-wip-us.apache.org/repos/asf/ignite/commit/62d69e0d
Tree: http://git-wip-us.apache.org/repos/asf/ignite/tree/62d69e0d
Diff: http://git-wip-us.apache.org/repos/asf/ignite/diff/62d69e0d
Branch: refs/heads/ignite-2407
Commit: 62d69e0da62b3dc9a5ba93bdf52194c6e1486e59
Parents: 592ece0
Author: iveselovskiy <iv...@gridgain.com>
Authored: Fri Feb 19 17:31:06 2016 +0300
Committer: vozerov-gridgain <vo...@gridgain.com>
Committed: Fri Feb 19 17:31:06 2016 +0300
----------------------------------------------------------------------
.../apache/ignite/yarn/ApplicationMaster.java | 30 +++++++++++++++-----
.../apache/ignite/yarn/IgniteYarnClient.java | 25 ++++++++++++++++
.../ignite/yarn/utils/IgniteYarnUtils.java | 19 +++++++++++++
3 files changed, 67 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ignite/blob/62d69e0d/modules/yarn/src/main/java/org/apache/ignite/yarn/ApplicationMaster.java
----------------------------------------------------------------------
diff --git a/modules/yarn/src/main/java/org/apache/ignite/yarn/ApplicationMaster.java b/modules/yarn/src/main/java/org/apache/ignite/yarn/ApplicationMaster.java
index b9ab02d..609f29b 100644
--- a/modules/yarn/src/main/java/org/apache/ignite/yarn/ApplicationMaster.java
+++ b/modules/yarn/src/main/java/org/apache/ignite/yarn/ApplicationMaster.java
@@ -20,6 +20,7 @@ package org.apache.ignite.yarn;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.ByteBuffer;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
@@ -32,6 +33,8 @@ import org.apache.commons.io.IOUtils;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.Service;
import org.apache.hadoop.yarn.api.records.Container;
import org.apache.hadoop.yarn.api.records.ContainerId;
@@ -67,10 +70,10 @@ public class ApplicationMaster implements AMRMClientAsync.CallbackHandler {
private long schedulerTimeout = TimeUnit.SECONDS.toMillis(1);
/** Yarn configuration. */
- private YarnConfiguration conf;
+ private final YarnConfiguration conf;
/** Cluster properties. */
- private ClusterProperties props;
+ private final ClusterProperties props;
/** Network manager. */
private NMClient nmClient;
@@ -79,7 +82,7 @@ public class ApplicationMaster implements AMRMClientAsync.CallbackHandler {
private AMRMClientAsync<AMRMClient.ContainerRequest> rmClient;
/** Ignite path. */
- private Path ignitePath;
+ private final Path ignitePath;
/** Config path. */
private Path cfgPath;
@@ -87,8 +90,11 @@ public class ApplicationMaster implements AMRMClientAsync.CallbackHandler {
/** Hadoop file system. */
private FileSystem fs;
+ /** Buffered tokens to be injected into newly allocated containers. */
+ private ByteBuffer allTokens;
+
/** Running containers. */
- private Map<ContainerId, IgniteContainer> containers = new ConcurrentHashMap<>();
+ private final Map<ContainerId, IgniteContainer> containers = new ConcurrentHashMap<>();
/**
* @param ignitePath Hdfs path to ignite.
@@ -107,6 +113,10 @@ public class ApplicationMaster implements AMRMClientAsync.CallbackHandler {
try {
ContainerLaunchContext ctx = Records.newRecord(ContainerLaunchContext.class);
+ if (UserGroupInformation.isSecurityEnabled())
+ // Set the tokens to the newly allocated container:
+ ctx.setTokens(allTokens.duplicate());
+
Map<String, String> env = new HashMap<>(System.getenv());
env.put("IGNITE_TCP_DISCOVERY_ADDRESSES", getAddress(c.getNodeId().getHost()));
@@ -192,10 +202,10 @@ public class ApplicationMaster implements AMRMClientAsync.CallbackHandler {
/**
* @return Address running nodes.
*/
- private String getAddress(String address) {
+ private String getAddress(String addr) {
if (containers.isEmpty()) {
- if (address != null && !address.isEmpty())
- return address + DEFAULT_PORT;
+ if (addr != null && !addr.isEmpty())
+ return addr + DEFAULT_PORT;
return "";
}
@@ -337,6 +347,12 @@ public class ApplicationMaster implements AMRMClientAsync.CallbackHandler {
* @throws IOException
*/
public void init() throws IOException {
+ if (UserGroupInformation.isSecurityEnabled()) {
+ Credentials cred = UserGroupInformation.getCurrentUser().getCredentials();
+
+ allTokens = IgniteYarnUtils.createTokenBuffer(cred);
+ }
+
fs = FileSystem.get(conf);
nmClient = NMClient.createNMClient();
http://git-wip-us.apache.org/repos/asf/ignite/blob/62d69e0d/modules/yarn/src/main/java/org/apache/ignite/yarn/IgniteYarnClient.java
----------------------------------------------------------------------
diff --git a/modules/yarn/src/main/java/org/apache/ignite/yarn/IgniteYarnClient.java b/modules/yarn/src/main/java/org/apache/ignite/yarn/IgniteYarnClient.java
index 17a5616..2a9a53e 100644
--- a/modules/yarn/src/main/java/org/apache/ignite/yarn/IgniteYarnClient.java
+++ b/modules/yarn/src/main/java/org/apache/ignite/yarn/IgniteYarnClient.java
@@ -18,6 +18,8 @@
package org.apache.ignite.yarn;
import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.TimeUnit;
@@ -25,6 +27,9 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ApplicationReport;
import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
@@ -80,6 +85,7 @@ public class IgniteYarnClient {
else
ignite = new Path(props.ignitePath());
+ // Upload the jar file to HDFS.
Path appJar = IgniteYarnUtils.copyLocalToHdfs(fs, pathAppMasterJar,
props.igniteWorkDir() + File.separator + IgniteYarnUtils.JAR_NAME);
@@ -106,6 +112,25 @@ public class IgniteYarnClient {
amContainer.setEnvironment(appMasterEnv);
+ // Setup security tokens
+ if (UserGroupInformation.isSecurityEnabled()) {
+ Credentials creds = new Credentials();
+
+ String tokRenewer = conf.get(YarnConfiguration.RM_PRINCIPAL);
+
+ if (tokRenewer == null || tokRenewer.length() == 0)
+ throw new IOException("Master Kerberos principal for the RM is not set.");
+
+ log.info("Found RM principal: " + tokRenewer);
+
+ final Token<?> tokens[] = fs.addDelegationTokens(tokRenewer, creds);
+
+ if (tokens != null)
+ log.info("File system delegation tokens: " + Arrays.toString(tokens));
+
+ amContainer.setTokens(IgniteYarnUtils.createTokenBuffer(creds));
+ }
+
// Set up resource type requirements for ApplicationMaster
Resource capability = Records.newRecord(Resource.class);
capability.setMemory(512);
http://git-wip-us.apache.org/repos/asf/ignite/blob/62d69e0d/modules/yarn/src/main/java/org/apache/ignite/yarn/utils/IgniteYarnUtils.java
----------------------------------------------------------------------
diff --git a/modules/yarn/src/main/java/org/apache/ignite/yarn/utils/IgniteYarnUtils.java b/modules/yarn/src/main/java/org/apache/ignite/yarn/utils/IgniteYarnUtils.java
index 6265e12..92507a7 100644
--- a/modules/yarn/src/main/java/org/apache/ignite/yarn/utils/IgniteYarnUtils.java
+++ b/modules/yarn/src/main/java/org/apache/ignite/yarn/utils/IgniteYarnUtils.java
@@ -17,9 +17,13 @@
package org.apache.ignite.yarn.utils;
+import java.io.IOException;
+import java.nio.ByteBuffer;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.io.DataOutputBuffer;
+import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.yarn.api.records.LocalResource;
import org.apache.hadoop.yarn.api.records.LocalResourceType;
import org.apache.hadoop.yarn.api.records.LocalResourceVisibility;
@@ -83,4 +87,19 @@ public class IgniteYarnUtils {
return dstPath;
}
+
+ /**
+ * Creates a ByteBuffer with serialized {@link Credentials}.
+ *
+ * @param creds The credentials.
+ * @return The ByteBuffer with the credentials.
+ * @throws IOException
+ */
+ public static ByteBuffer createTokenBuffer(Credentials creds) throws IOException {
+ DataOutputBuffer dob = new DataOutputBuffer();
+
+ creds.writeTokenStorageToStream(dob);
+
+ return ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
+ }
}
\ No newline at end of file