You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:05:39 UTC
svn commit: r1077345 - in
/hadoop/common/branches/branch-0.20-security-patches: conf/
src/mapred/org/apache/hadoop/mapred/ src/test/org/apache/hadoop/mapred/
Author: omalley
Date: Fri Mar 4 04:05:39 2011
New Revision: 1077345
URL: http://svn.apache.org/viewvc?rev=1077345&view=rev
Log:
commit 93fe6fe9df849d91d47606e4a5b3546a1641ae37
Author: Vinod Kumar <vi...@yahoo-inc.com>
Date: Fri Mar 19 22:58:21 2010 +0530
MAPREDUCE-1611 from https://issues.apache.org/jira/secure/attachment/12439295/MAPREDUCE-1611-20100319-ydist.txt.
+++ b/YAHOO-CHANGES.txt
+ MAPREDUCE-1611. Refresh nodes and refresh queues doesnt work with
+ service authorization enabled. (Amar Kamat via vinodkv)
+
Added:
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestAdminOperationsProtocolWithServiceAuthorization.java
Modified:
hadoop/common/branches/branch-0.20-security-patches/conf/hadoop-policy.xml.template
hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/MapReducePolicyProvider.java
Modified: hadoop/common/branches/branch-0.20-security-patches/conf/hadoop-policy.xml.template
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/conf/hadoop-policy.xml.template?rev=1077345&r1=1077344&r2=1077345&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/conf/hadoop-policy.xml.template (original)
+++ hadoop/common/branches/branch-0.20-security-patches/conf/hadoop-policy.xml.template Fri Mar 4 04:05:39 2011
@@ -94,4 +94,13 @@
A special value of "*" means all users are allowed.</description>
</property>
+ <property>
+ <name>security.admin.operations.protocol.acl</name>
+ <value>*</value>
+ <description>ACL for AdminOperationsProtocol, used by the mradmins commands
+ to refresh queues and nodes at JobTracker. The ACL is a comma-separated list of
+ user and group names. The user and group list is separated by a blank.
+ For e.g. "alice,bob users,wheel". A special value of "*" means all users are
+ allowed.</description>
+ </property>
</configuration>
Modified: hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/MapReducePolicyProvider.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/MapReducePolicyProvider.java?rev=1077345&r1=1077344&r2=1077345&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/MapReducePolicyProvider.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/mapred/org/apache/hadoop/mapred/MapReducePolicyProvider.java Fri Mar 4 04:05:39 2011
@@ -38,6 +38,8 @@ public class MapReducePolicyProvider ext
RefreshAuthorizationPolicyProtocol.class),
new Service("security.refresh.usertogroups.mappings.protocol.acl",
RefreshUserToGroupMappingsProtocol.class),
+ new Service("security.admin.operations.protocol.acl",
+ AdminOperationsProtocol.class),
};
@Override
Added: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestAdminOperationsProtocolWithServiceAuthorization.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestAdminOperationsProtocolWithServiceAuthorization.java?rev=1077345&view=auto
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestAdminOperationsProtocolWithServiceAuthorization.java (added)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/mapred/TestAdminOperationsProtocolWithServiceAuthorization.java Fri Mar 4 04:05:39 2011
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.mapred;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.mapred.tools.MRAdmin;
+import org.apache.hadoop.security.authorize.PolicyProvider;
+import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
+
+import junit.framework.TestCase;
+
+/**
+ * Test case to check if {@link AdminOperationsProtocol#refreshNodes()} and
+ * {@link AdminOperationsProtocol#refreshQueueAcls()} works with service-level
+ * authorization enabled i.e 'hadoop.security.authorization' set to true.
+ */
+public class TestAdminOperationsProtocolWithServiceAuthorization
+extends TestCase {
+ public void testServiceLevelAuthorization() throws Exception {
+ MiniMRCluster mr = null;
+ try {
+ // Turn on service-level authorization
+ final JobConf conf = new JobConf();
+ conf.setClass(PolicyProvider.POLICY_PROVIDER_CONFIG,
+ MapReducePolicyProvider.class, PolicyProvider.class);
+ conf.setBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG,
+ true);
+
+ // Start the mini mr cluster
+ mr = new MiniMRCluster(1, "file:///", 1, null, null, conf);
+
+ // Invoke MRAdmin commands
+ MRAdmin mrAdmin = new MRAdmin(mr.createJobConf());
+ assertEquals(0, mrAdmin.run(new String[] { "-refreshQueueAcls" }));
+ assertEquals(0, mrAdmin.run(new String[] { "-refreshNodes" }));
+ } finally {
+ if (mr != null) {
+ mr.shutdown();
+ }
+ }
+ }
+}