YARN-1573. ZK store should use a private password for root-node-acls. (kasha)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1560594 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
122be11c14
commit
482993ac53
|
@ -237,6 +237,9 @@ Release 2.4.0 - UNRELEASED
|
|||
YARN-1623. Include queue name in RegisterApplicationMasterResponse (Sandy
|
||||
Ryza)
|
||||
|
||||
YARN-1573. ZK store should use a private password for root-node-acls.
|
||||
(kasha).
|
||||
|
||||
OPTIMIZATIONS
|
||||
|
||||
BUG FIXES
|
||||
|
|
|
@ -357,7 +357,7 @@
|
|||
|
||||
By default, when this property is not set, we use the ACLs from
|
||||
yarn.resourcemanager.zk-acl for shared admin access and
|
||||
rm-address:cluster-timestamp for username-based exclusive create-delete
|
||||
rm-address:random-number for username-based exclusive create-delete
|
||||
access.
|
||||
|
||||
This property allows users to set ACLs of their choice instead of using
|
||||
|
|
|
@ -24,6 +24,7 @@ import java.io.DataInputStream;
|
|||
import java.io.DataOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.SecureRandom;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
@ -47,7 +48,6 @@ import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.Appli
|
|||
import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.ApplicationStateDataProto;
|
||||
import org.apache.hadoop.yarn.proto.YarnServerResourceManagerServiceProtos.RMStateVersionProto;
|
||||
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMStateVersion;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationAttemptStateDataPBImpl;
|
||||
import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.impl.pb.ApplicationStateDataPBImpl;
|
||||
|
@ -74,6 +74,7 @@ import com.google.common.annotations.VisibleForTesting;
|
|||
public class ZKRMStateStore extends RMStateStore {
|
||||
|
||||
public static final Log LOG = LogFactory.getLog(ZKRMStateStore.class);
|
||||
private final SecureRandom random = new SecureRandom();
|
||||
|
||||
protected static final String ROOT_ZNODE_NAME = "ZKRMStateRoot";
|
||||
protected static final RMStateVersion CURRENT_VERSION_INFO = RMStateVersion
|
||||
|
@ -136,6 +137,8 @@ public class ZKRMStateStore extends RMStateStore {
|
|||
private String fencingNodePath;
|
||||
private Op createFencingNodePathOp;
|
||||
private Op deleteFencingNodePathOp;
|
||||
private String zkRootNodeUsername;
|
||||
private final String zkRootNodePassword = Long.toString(random.nextLong());
|
||||
|
||||
@VisibleForTesting
|
||||
List<ACL> zkRootNodeAcl;
|
||||
|
@ -145,9 +148,6 @@ public class ZKRMStateStore extends RMStateStore {
|
|||
private final String zkRootNodeAuthScheme =
|
||||
new DigestAuthenticationProvider().getScheme();
|
||||
|
||||
private String zkRootNodeUsername;
|
||||
private String zkRootNodePassword;
|
||||
|
||||
/**
|
||||
* Given the {@link Configuration} and {@link ACL}s used (zkAcl) for
|
||||
* ZooKeeper access, construct the {@link ACL}s for the store's root node.
|
||||
|
@ -172,7 +172,6 @@ public class ZKRMStateStore extends RMStateStore {
|
|||
zkRootNodeUsername = HAUtil.getConfValueForRMInstance(
|
||||
YarnConfiguration.RM_ADDRESS,
|
||||
YarnConfiguration.DEFAULT_RM_ADDRESS, conf);
|
||||
zkRootNodePassword = Long.toString(ResourceManager.getClusterTimeStamp());
|
||||
Id rmId = new Id(zkRootNodeAuthScheme,
|
||||
DigestAuthenticationProvider.generateDigest(
|
||||
zkRootNodeUsername + ":" + zkRootNodePassword));
|
||||
|
|
Loading…
Reference in New Issue