You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ma...@apache.org on 2011/10/25 08:07:15 UTC
svn commit: r1188522 - in
/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main:
java/org/apache/hadoop/fs/ java/org/apache/hadoop/ipc/
java/org/apache/hadoop/security/ java/org/apache/hadoop/security/token/
packages/ packages/templates/conf/
Author: mahadev
Date: Tue Oct 25 06:07:13 2011
New Revision: 1188522
URL: http://svn.apache.org/viewvc?rev=1188522&view=rev
Log:
MAPREDUCE-2746. Yarn servers can't communicate with each other with hadoop.security.authorization set to true (acmurthy via mahadev)
Modified:
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/hadoop-setup-hdfs.sh
hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java?rev=1188522&r1=1188521&r2=1188522&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java Tue Oct 25 06:07:13 2011
@@ -93,5 +93,18 @@ public class CommonConfigurationKeys ext
/** Default value for IO_COMPRESSION_CODEC_SNAPPY_BUFFERSIZE_KEY */
public static final int IO_COMPRESSION_CODEC_SNAPPY_BUFFERSIZE_DEFAULT =
256 * 1024;
+
+ /**
+ * Service Authorization
+ */
+ public static final String
+ HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_POLICY =
+ "security.refresh.policy.protocol.acl";
+ public static final String
+ HADOOP_SECURITY_SERVICE_AUTHORIZATION_GET_USER_MAPPINGS =
+ "security.get.user.mappings.protocol.acl";
+ public static final String
+ HADOOP_SECURITY_SERVICE_AUTHORIZATION_REFRESH_USER_MAPPINGS =
+ "security.refresh.user.mappings.protocol.acl";
}
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java?rev=1188522&r1=1188521&r2=1188522&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java Tue Oct 25 06:07:13 2011
@@ -1811,6 +1811,16 @@ public abstract class Server {
}
/**
+ * Get the port on which the IPC Server is listening for incoming connections.
+ * This could be an ephemeral port too, in which case we return the real
+ * port on which the Server has bound.
+ * @return port on which IPC Server is listening
+ */
+ public int getPort() {
+ return port;
+ }
+
+ /**
* The number of open RPC conections
* @return the number of open rpc connections
*/
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java?rev=1188522&r1=1188521&r2=1188522&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java Tue Oct 25 06:07:13 2011
@@ -316,17 +316,23 @@ public class SecurityUtil {
* @param conf configuration object
* @return the KerberosInfo or null if it has no KerberosInfo defined
*/
- public static KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf) {
- for(SecurityInfo provider: testProviders) {
- KerberosInfo result = provider.getKerberosInfo(protocol, conf);
- if (result != null) {
- return result;
+ public static KerberosInfo
+ getKerberosInfo(Class<?> protocol, Configuration conf) {
+ synchronized (testProviders) {
+ for(SecurityInfo provider: testProviders) {
+ KerberosInfo result = provider.getKerberosInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
}
}
- for(SecurityInfo provider: securityInfoProviders) {
- KerberosInfo result = provider.getKerberosInfo(protocol, conf);
- if (result != null) {
- return result;
+
+ synchronized (securityInfoProviders) {
+ for(SecurityInfo provider: securityInfoProviders) {
+ KerberosInfo result = provider.getKerberosInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
}
}
return null;
@@ -340,18 +346,24 @@ public class SecurityUtil {
* @return the TokenInfo or null if it has no KerberosInfo defined
*/
public static TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
- for(SecurityInfo provider: testProviders) {
- TokenInfo result = provider.getTokenInfo(protocol, conf);
- if (result != null) {
- return result;
- }
- }
- for(SecurityInfo provider: securityInfoProviders) {
- TokenInfo result = provider.getTokenInfo(protocol, conf);
- if (result != null) {
- return result;
+ synchronized (testProviders) {
+ for(SecurityInfo provider: testProviders) {
+ TokenInfo result = provider.getTokenInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
}
- }
+ }
+
+ synchronized (securityInfoProviders) {
+ for(SecurityInfo provider: securityInfoProviders) {
+ TokenInfo result = provider.getTokenInfo(protocol, conf);
+ if (result != null) {
+ return result;
+ }
+ }
+ }
+
return null;
}
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java?rev=1188522&r1=1188521&r2=1188522&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java Tue Oct 25 06:07:13 2011
@@ -281,10 +281,12 @@ public class Token<T extends TokenIdenti
return renewer;
}
renewer = TRIVIAL_RENEWER;
- for (TokenRenewer canidate: renewers) {
- if (canidate.handleKind(this.kind)) {
- renewer = canidate;
- return renewer;
+ synchronized (renewers) {
+ for (TokenRenewer canidate : renewers) {
+ if (canidate.handleKind(this.kind)) {
+ renewer = canidate;
+ return renewer;
+ }
}
}
LOG.warn("No TokenRenewer defined for token kind " + this.kind);
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/hadoop-setup-hdfs.sh
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/hadoop-setup-hdfs.sh?rev=1188522&r1=1188521&r2=1188522&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/hadoop-setup-hdfs.sh (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/hadoop-setup-hdfs.sh Tue Oct 25 06:07:13 2011
@@ -70,6 +70,10 @@ while true ; do
HADOOP_MR_USER=$2; shift 2
AUTOMATED=1
;;
+ --yarn-user)
+ HADOOP_YARN_USER=$2; shift 2
+ AUTOMATED=1
+ ;;
--hdfs-user-keytab)
HDFS_KEYTAB=$2; shift 2
AUTOMATED=1
@@ -91,6 +95,7 @@ done
HADOOP_GROUP=${HADOOP_GROUP:-hadoop}
HADOOP_HDFS_USER=${HADOOP_HDFS_USER:-hdfs}
+HADOOP_YARN_USER=${HADOOP_YARN_USER:-yarn}
HADOOP_MAPREDUCE_USER=${HADOOP_MR_USER:-mapred}
if [ "${KERBEROS_REALM}" != "" ]; then
Modified: hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml
URL: http://svn.apache.org/viewvc/hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml?rev=1188522&r1=1188521&r2=1188522&view=diff
==============================================================================
--- hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml (original)
+++ hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/packages/templates/conf/hadoop-policy.xml Tue Oct 25 06:07:13 2011
@@ -85,6 +85,7 @@
A special value of "*" means all users are allowed.</description>
</property>
+
<property>
<name>security.job.submission.protocol.acl</name>
<value>*</value>
@@ -124,7 +125,7 @@
users are allowed.</description>
</property>
-<property>
+ <property>
<name>security.refresh.policy.protocol.acl</name>
<value>${HADOOP_HDFS_USER}</value>
<description>ACL for RefreshAuthorizationPolicyProtocol, used by the
@@ -135,5 +136,85 @@
</property>
+ <!-- YARN Protocols -->
+
+ <property>
+ <name>security.resourcetracker.protocol.acl</name>
+ <value>${HADOOP_YARN_USER}</value>
+ <description>ACL for ResourceTracker protocol, used by the
+ ResourceManager and NodeManager to communicate with each other.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.admin.protocol.acl</name>
+ <value>${HADOOP_YARN_USER}</value>
+ <description>ACL for RMAdminProtocol, for admin commands.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.client.resourcemanager.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for ClientRMProtocol, used by the ResourceManager
+ and applications submission clients to communicate with each other.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.applicationmaster.resourcemanager.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for AMRMProtocol, used by the ResourceManager
+ and ApplicationMasters to communicate with each other.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.containermanager.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for ContainerManager protocol, used by the NodeManager
+ and ApplicationMasters to communicate with each other.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.resourcelocalizer.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for ResourceLocalizer protocol, used by the NodeManager
+ and ResourceLocalizer to communicate with each other.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.job.task.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for TaskUmbilicalProtocol, used by the map and reduce
+ tasks to communicate with the parent tasktracker.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
+
+ <property>
+ <name>security.job.client.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for MRClientProtocol, used by job clients to
+ communciate with the MR ApplicationMaster to query job status etc.
+ The ACL is a comma-separated list of user and group names. The user and
+ group list is separated by a blank. For e.g. "alice,bob users,wheel".
+ A special value of "*" means all users are allowed.</description>
+ </property>
</configuration>