You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ar...@apache.org on 2015/06/20 23:25:29 UTC
[24/50] [abbrv] hadoop git commit: YARN-3804. Both RM are on standBy
state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena
YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a826d432
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a826d432
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a826d432
Branch: refs/heads/HDFS-7240
Commit: a826d432f9b45550cc5ab79ef63ca39b176dabb2
Parents: 2de586f
Author: Xuan <xg...@apache.org>
Authored: Wed Jun 17 16:23:27 2015 -0700
Committer: Xuan <xg...@apache.org>
Committed: Wed Jun 17 16:23:27 2015 -0700
----------------------------------------------------------------------
hadoop-yarn-project/CHANGES.txt | 3 ++
.../server/resourcemanager/AdminService.java | 19 +++++---
.../resourcemanager/TestRMAdminService.java | 49 +++++++++++++++++++-
3 files changed, 63 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/a826d432/hadoop-yarn-project/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
index afe76bd..243edb3 100644
--- a/hadoop-yarn-project/CHANGES.txt
+++ b/hadoop-yarn-project/CHANGES.txt
@@ -681,6 +681,9 @@ Release 2.7.1 - UNRELEASED
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
to another. (Wangda Tan via jianhe)
+ YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl
+ (Varun Saxena via xgong)
+
Release 2.7.0 - 2015-04-20
INCOMPATIBLE CHANGES
http://git-wip-us.apache.org/repos/asf/hadoop/blob/a826d432/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
index 1ee8b3b..e5bb6e5 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java
@@ -112,6 +112,8 @@ public class AdminService extends CompositeService implements
private final RecordFactory recordFactory =
RecordFactoryProvider.getRecordFactory(null);
+ private UserGroupInformation daemonUser;
+
@VisibleForTesting
boolean isDistributedNodeLabelConfiguration = false;
@@ -138,10 +140,9 @@ public class AdminService extends CompositeService implements
YarnConfiguration.RM_ADMIN_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
+ daemonUser = UserGroupInformation.getCurrentUser();
authorizer = YarnAuthorizationProvider.getInstance(conf);
- authorizer.setAdmins(new AccessControlList(conf.get(
- YarnConfiguration.YARN_ADMIN_ACL,
- YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
+ authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
.getCurrentUser());
rmId = conf.get(YarnConfiguration.RM_HA_ID);
@@ -151,6 +152,14 @@ public class AdminService extends CompositeService implements
super.serviceInit(conf);
}
+ private AccessControlList getAdminAclList(Configuration conf) {
+ AccessControlList aclList = new AccessControlList(conf.get(
+ YarnConfiguration.YARN_ADMIN_ACL,
+ YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
+ aclList.addUser(daemonUser.getShortUserName());
+ return aclList;
+ }
+
@Override
protected void serviceStart() throws Exception {
startServer();
@@ -470,9 +479,7 @@ public class AdminService extends CompositeService implements
Configuration conf =
getConfiguration(new Configuration(false),
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
- authorizer.setAdmins(new AccessControlList(conf.get(
- YarnConfiguration.YARN_ADMIN_ACL,
- YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
+ authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
.getCurrentUser());
RMAuditLogger.logSuccess(user.getShortUserName(), argName,
"AdminService");
http://git-wip-us.apache.org/repos/asf/hadoop/blob/a826d432/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java
----------------------------------------------------------------------
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java
index fe0b8a8..0a05c91 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java
@@ -38,12 +38,14 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.ha.HAServiceProtocol;
import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo;
+import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.GroupMappingServiceProvider;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
+import org.apache.hadoop.yarn.LocalConfigurationProvider;
import org.apache.hadoop.yarn.api.records.DecommissionType;
import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.conf.HAUtil;
@@ -208,7 +210,8 @@ public class TestRMAdminService {
rm.adminService.getAccessControlList().getAclString().trim();
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
- Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
+ Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
+ UserGroupInformation.getCurrentUser().getShortUserName());
}
@Test
@@ -695,7 +698,8 @@ public class TestRMAdminService {
String aclStringAfter =
resourceManager.adminService.getAccessControlList()
.getAclString().trim();
- Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
+ Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
+ UserGroupInformation.getCurrentUser().getShortUserName());
// validate values for queue configuration
CapacityScheduler cs =
@@ -761,6 +765,47 @@ public class TestRMAdminService {
}
}
+ /* For verifying fix for YARN-3804 */
+ @Test
+ public void testRefreshAclWithDaemonUser() throws Exception {
+ String daemonUser =
+ UserGroupInformation.getCurrentUser().getShortUserName();
+ configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
+ "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
+
+ uploadDefaultConfiguration();
+ YarnConfiguration yarnConf = new YarnConfiguration();
+ yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz");
+ uploadConfiguration(yarnConf, "yarn-site.xml");
+
+ try {
+ rm = new MockRM(configuration);
+ rm.init(configuration);
+ rm.start();
+ } catch(Exception ex) {
+ fail("Should not get any exceptions");
+ }
+
+ assertEquals(daemonUser + "xyz," + daemonUser,
+ rm.adminService.getAccessControlList().getAclString().trim());
+
+ yarnConf = new YarnConfiguration();
+ yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc");
+ uploadConfiguration(yarnConf, "yarn-site.xml");
+ try {
+ rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance());
+ } catch (YarnException e) {
+ if (e.getCause() != null &&
+ e.getCause() instanceof AccessControlException) {
+ fail("Refresh should not have failed due to incorrect ACL");
+ }
+ throw e;
+ }
+
+ assertEquals(daemonUser + "abc," + daemonUser,
+ rm.adminService.getAccessControlList().getAclString().trim());
+ }
+
@Test
public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled()
throws IOException, YarnException {