YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena

(cherry picked from commit a826d432f9)
This commit is contained in:
Xuan 2015-06-17 16:23:27 -07:00
parent 1270cb47e1
commit 16d2412a25
3 changed files with 63 additions and 8 deletions

View File

@ -637,6 +637,9 @@ Release 2.7.1 - UNRELEASED
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
to another. (Wangda Tan via jianhe) to another. (Wangda Tan via jianhe)
YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl
(Varun Saxena via xgong)
Release 2.7.0 - 2015-04-20 Release 2.7.0 - 2015-04-20
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -112,6 +112,8 @@ public class AdminService extends CompositeService implements
private final RecordFactory recordFactory = private final RecordFactory recordFactory =
RecordFactoryProvider.getRecordFactory(null); RecordFactoryProvider.getRecordFactory(null);
private UserGroupInformation daemonUser;
@VisibleForTesting @VisibleForTesting
boolean isDistributedNodeLabelConfiguration = false; boolean isDistributedNodeLabelConfiguration = false;
@ -138,10 +140,9 @@ public class AdminService extends CompositeService implements
YarnConfiguration.RM_ADMIN_ADDRESS, YarnConfiguration.RM_ADMIN_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS, YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADMIN_PORT); YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
daemonUser = UserGroupInformation.getCurrentUser();
authorizer = YarnAuthorizationProvider.getInstance(conf); authorizer = YarnAuthorizationProvider.getInstance(conf);
authorizer.setAdmins(new AccessControlList(conf.get( authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
.getCurrentUser()); .getCurrentUser());
rmId = conf.get(YarnConfiguration.RM_HA_ID); rmId = conf.get(YarnConfiguration.RM_HA_ID);
@ -151,6 +152,14 @@ public class AdminService extends CompositeService implements
super.serviceInit(conf); super.serviceInit(conf);
} }
private AccessControlList getAdminAclList(Configuration conf) {
AccessControlList aclList = new AccessControlList(conf.get(
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
aclList.addUser(daemonUser.getShortUserName());
return aclList;
}
@Override @Override
protected void serviceStart() throws Exception { protected void serviceStart() throws Exception {
startServer(); startServer();
@ -470,9 +479,7 @@ public class AdminService extends CompositeService implements
Configuration conf = Configuration conf =
getConfiguration(new Configuration(false), getConfiguration(new Configuration(false),
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE); YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
authorizer.setAdmins(new AccessControlList(conf.get( authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
.getCurrentUser()); .getCurrentUser());
RMAuditLogger.logSuccess(user.getShortUserName(), argName, RMAuditLogger.logSuccess(user.getShortUserName(), argName,
"AdminService"); "AdminService");

View File

@ -38,12 +38,14 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.ha.HAServiceProtocol; import org.apache.hadoop.ha.HAServiceProtocol;
import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState; import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo; import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.GroupMappingServiceProvider; import org.apache.hadoop.security.GroupMappingServiceProvider;
import org.apache.hadoop.security.Groups; import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager; import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
import org.apache.hadoop.yarn.LocalConfigurationProvider;
import org.apache.hadoop.yarn.api.records.DecommissionType; import org.apache.hadoop.yarn.api.records.DecommissionType;
import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.conf.HAUtil; import org.apache.hadoop.yarn.conf.HAUtil;
@ -208,7 +210,8 @@ public class TestRMAdminService {
rm.adminService.getAccessControlList().getAclString().trim(); rm.adminService.getAccessControlList().getAclString().trim();
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore)); Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda"); Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
UserGroupInformation.getCurrentUser().getShortUserName());
} }
@Test @Test
@ -695,7 +698,8 @@ public class TestRMAdminService {
String aclStringAfter = String aclStringAfter =
resourceManager.adminService.getAccessControlList() resourceManager.adminService.getAccessControlList()
.getAclString().trim(); .getAclString().trim();
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda"); Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
UserGroupInformation.getCurrentUser().getShortUserName());
// validate values for queue configuration // validate values for queue configuration
CapacityScheduler cs = CapacityScheduler cs =
@ -761,6 +765,47 @@ public class TestRMAdminService {
} }
} }
/* For verifying fix for YARN-3804 */
@Test
public void testRefreshAclWithDaemonUser() throws Exception {
String daemonUser =
UserGroupInformation.getCurrentUser().getShortUserName();
configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
uploadDefaultConfiguration();
YarnConfiguration yarnConf = new YarnConfiguration();
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz");
uploadConfiguration(yarnConf, "yarn-site.xml");
try {
rm = new MockRM(configuration);
rm.init(configuration);
rm.start();
} catch(Exception ex) {
fail("Should not get any exceptions");
}
assertEquals(daemonUser + "xyz," + daemonUser,
rm.adminService.getAccessControlList().getAclString().trim());
yarnConf = new YarnConfiguration();
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc");
uploadConfiguration(yarnConf, "yarn-site.xml");
try {
rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance());
} catch (YarnException e) {
if (e.getCause() != null &&
e.getCause() instanceof AccessControlException) {
fail("Refresh should not have failed due to incorrect ACL");
}
throw e;
}
assertEquals(daemonUser + "abc," + daemonUser,
rm.adminService.getAccessControlList().getAclString().trim());
}
@Test @Test
public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled() public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled()
throws IOException, YarnException { throws IOException, YarnException {