You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mapreduce-commits@hadoop.apache.org by ss...@apache.org on 2012/02/29 21:50:05 UTC
svn commit: r1295264 - in
/hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project: ./
hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/
hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java...
Author: sseth
Date: Wed Feb 29 20:50:04 2012
New Revision: 1295264
URL: http://svn.apache.org/viewvc?rev=1295264&view=rev
Log:
merge MAPREDUCE-3903 from trunk
Added:
hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobAclsManager.java
- copied unchanged from r1295262, hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobAclsManager.java
Modified:
hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/CHANGES.txt
hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm
Modified: hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/CHANGES.txt?rev=1295264&r1=1295263&r2=1295264&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/CHANGES.txt (original)
+++ hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/CHANGES.txt Wed Feb 29 20:50:04 2012
@@ -106,6 +106,9 @@ Release 0.23.2 - UNRELEASED
MAPREDUCE-3920. Revise yarn default port number selection
(Dave Thompson via tgraves)
+ MAPREDUCE-3903. Add support for mapreduce admin users. (Thomas Graves via
+ sseth)
+
Release 0.23.1 - 2012-02-17
INCOMPATIBLE CHANGES
Modified: hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java?rev=1295264&r1=1295263&r2=1295264&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java (original)
+++ hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java Wed Feb 29 20:50:04 2012
@@ -20,6 +20,8 @@ package org.apache.hadoop.mapred;
import java.util.HashMap;
import java.util.Map;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.mapreduce.JobACL;
@@ -31,9 +33,12 @@ import org.apache.hadoop.security.author
@InterfaceAudience.Private
public class JobACLsManager {
+ static final Log LOG = LogFactory.getLog(JobACLsManager.class);
Configuration conf;
+ private final AccessControlList adminAcl;
public JobACLsManager(Configuration conf) {
+ adminAcl = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " "));
this.conf = conf;
}
@@ -72,6 +77,18 @@ public class JobACLsManager {
}
/**
+ * Is the calling user an admin for the mapreduce cluster
+ * i.e. member of mapreduce.cluster.administrators
+ * @return true, if user is an admin
+ */
+ boolean isMRAdmin(UserGroupInformation callerUGI) {
+ if (adminAcl.isUserAllowed(callerUGI)) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
* If authorization is enabled, checks whether the user (in the callerUGI)
* is authorized to perform the operation specified by 'jobOperation' on
* the job by checking if the user is jobOwner or part of job ACL for the
@@ -89,13 +106,18 @@ public class JobACLsManager {
public boolean checkAccess(UserGroupInformation callerUGI,
JobACL jobOperation, String jobOwner, AccessControlList jobACL) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: "
+ + jobOperation.toString() + " user: " + callerUGI.getShortUserName());
+ }
String user = callerUGI.getShortUserName();
if (!areACLsEnabled()) {
return true;
}
// Allow Job-owner for any operation on the job
- if (user.equals(jobOwner)
+ if (isMRAdmin(callerUGI)
+ || user.equals(jobOwner)
|| jobACL.isUserAllowed(callerUGI)) {
return true;
}
Modified: hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java?rev=1295264&r1=1295263&r2=1295264&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java (original)
+++ hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java Wed Feb 29 20:50:04 2012
@@ -192,7 +192,6 @@ public class HistoryClientService extend
throw RPCUtil.getRemoteException("Unknown job " + jobID);
}
JobACL operation = JobACL.VIEW_JOB;
- //TODO disable check access for now.
checkAccess(job, operation);
return job;
}
@@ -324,9 +323,7 @@ public class HistoryClientService extend
private void checkAccess(Job job, JobACL jobOperation)
throws YarnRemoteException {
- if (!UserGroupInformation.isSecurityEnabled()) {
- return;
- }
+
UserGroupInformation callerUGI;
try {
callerUGI = UserGroupInformation.getCurrentUser();
Modified: hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java?rev=1295264&r1=1295263&r2=1295264&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java (original)
+++ hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java Wed Feb 29 20:50:04 2012
@@ -140,7 +140,7 @@ public class YarnConfiguration extends C
/** Are acls enabled.*/
public static final String YARN_ACL_ENABLE =
YARN_PREFIX + "acl.enable";
- public static final boolean DEFAULT_YARN_ACL_ENABLE = true;
+ public static final boolean DEFAULT_YARN_ACL_ENABLE = false;
/** ACL of who can be admin of YARN cluster.*/
public static final String YARN_ADMIN_ACL =
Modified: hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm?rev=1295264&r1=1295263&r2=1295264&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm (original)
+++ hadoop/common/branches/branch-0.23.2/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm Wed Feb 29 20:50:04 2012
@@ -185,7 +185,7 @@ Hadoop MapReduce Next Generation - Clust
*-------------------------+-------------------------+------------------------+
| <<<yarn.acl.enable>>> | | |
| | <<<true>>> / <<<false>>> | |
-| | | Enable ACLs? Defaults to <true>. |
+| | | Enable ACLs? Defaults to <false>. |
*-------------------------+-------------------------+------------------------+
| <<<yarn.admin.acl>>> | | |
| | Admin ACL | |