You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@falcon.apache.org by ba...@apache.org on 2016/04/22 01:50:49 UTC
falcon git commit: FALCON-1916 Allow RM principal to be specified in
Cluster entity
Repository: falcon
Updated Branches:
refs/heads/master aba79aae2 -> a36946101
FALCON-1916 Allow RM principal to be specified in Cluster entity
When we have clusters setup with individual security domains with cross realm trusts, the RM principal needs to be specified explicitly to disambiguate the realm of the resource manager of the corresponding cluster entities.
This patch allows RM principal to be set and processed from the cluster properties
Author: Venkat Ranganathan <ve...@hortonworks.com>
Reviewers: "Venkatesan Ramachandran <vr...@hortonworks.com>"
Closes #111 from vrangan/master
Project: http://git-wip-us.apache.org/repos/asf/falcon/repo
Commit: http://git-wip-us.apache.org/repos/asf/falcon/commit/a3694610
Tree: http://git-wip-us.apache.org/repos/asf/falcon/tree/a3694610
Diff: http://git-wip-us.apache.org/repos/asf/falcon/diff/a3694610
Branch: refs/heads/master
Commit: a369461011bc41805f9b0736a2748366794cd8af
Parents: aba79aa
Author: Venkat Ranganathan <ve...@hortonworks.com>
Authored: Thu Apr 21 16:50:44 2016 -0700
Committer: bvellanki <bv...@hortonworks.com>
Committed: Thu Apr 21 16:50:44 2016 -0700
----------------------------------------------------------------------
.../falcon/entity/parser/ClusterEntityParser.java | 3 ++-
.../org/apache/falcon/hadoop/HadoopClientFactory.java | 13 +++++++++++--
.../java/org/apache/falcon/security/SecurityUtil.java | 7 +++++++
3 files changed, 20 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/falcon/blob/a3694610/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java
----------------------------------------------------------------------
diff --git a/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java b/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java
index 87db536..c3bdf3b 100644
--- a/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java
+++ b/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java
@@ -151,7 +151,8 @@ public class ClusterEntityParser extends EntityParser<Cluster> {
LOG.info("Validating execute interface: {}", executeUrl);
try {
- HadoopClientFactory.get().validateJobClient(executeUrl);
+ String rmPrincipal = ClusterHelper.getPropertyValue(cluster, SecurityUtil.RM_PRINCIPAL);
+ HadoopClientFactory.get().validateJobClient(executeUrl, rmPrincipal);
} catch (IOException e) {
throw new ValidationException("Invalid Execute server or port: " + executeUrl, e);
}
http://git-wip-us.apache.org/repos/asf/falcon/blob/a3694610/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java
----------------------------------------------------------------------
diff --git a/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java b/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java
index 3d6b16b..d70c4b9 100644
--- a/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java
+++ b/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java
@@ -19,6 +19,7 @@
package org.apache.falcon.hadoop;
import org.apache.commons.lang.Validate;
+import org.apache.commons.lang3.StringUtils;
import org.apache.falcon.FalconException;
import org.apache.falcon.security.CurrentUser;
import org.apache.falcon.security.SecurityUtil;
@@ -277,11 +278,19 @@ public final class HadoopClientFactory {
* @param executeUrl jt url or RM url
* @throws IOException
*/
- public void validateJobClient(String executeUrl) throws IOException {
+ public void validateJobClient(String executeUrl, String rmPrincipal) throws IOException {
final JobConf jobConf = new JobConf();
jobConf.set(MR_JT_ADDRESS_KEY, executeUrl);
jobConf.set(YARN_RM_ADDRESS_KEY, executeUrl);
-
+ /**
+ * It is possible that the RM/JT principal can be different between clusters,
+ * for example, the cluster is using a different KDC with cross-domain trust
+ * with the Falcon KDC. in that case, we want to allow the user to provide
+ * the RM principal similar to NN principal.
+ */
+ if (UserGroupInformation.isSecurityEnabled() && StringUtils.isNotEmpty(rmPrincipal)) {
+ jobConf.set(SecurityUtil.RM_PRINCIPAL, rmPrincipal);
+ }
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
try {
JobClient jobClient = loginUser.doAs(new PrivilegedExceptionAction<JobClient>() {
http://git-wip-us.apache.org/repos/asf/falcon/blob/a3694610/common/src/main/java/org/apache/falcon/security/SecurityUtil.java
----------------------------------------------------------------------
diff --git a/common/src/main/java/org/apache/falcon/security/SecurityUtil.java b/common/src/main/java/org/apache/falcon/security/SecurityUtil.java
index c187358..fe04c40 100644
--- a/common/src/main/java/org/apache/falcon/security/SecurityUtil.java
+++ b/common/src/main/java/org/apache/falcon/security/SecurityUtil.java
@@ -53,6 +53,13 @@ public final class SecurityUtil {
public static final String NN_PRINCIPAL = "dfs.namenode.kerberos.principal";
/**
+ * Constant for the configuration property that indicates the
+ * Resource Manager principal. This is useful when the remote cluster realm
+ * (with cross domain trust) or the auth to local rule definition results in a
+ * different RM principal than in Falcon server cluster.
+ */
+ public static final String RM_PRINCIPAL = "yarn.resourcemanager.principal";
+ /**
* Constant for the configuration property that indicates the Name node principal.
* This is used to talk to Hive Meta Store during parsing and validations only.
*/