YARN-7006. [ATSv2 Security] Changes for authentication for CollectorNodemanagerProtocol. Contributed by Varun Saxena

This commit is contained in:
Jian He 2017-08-16 11:01:06 -07:00 committed by Varun Saxena
parent db2f7dd9bd
commit 55e5742394
5 changed files with 112 additions and 10 deletions

View File

@ -72,13 +72,13 @@ public class NMCollectorService extends CompositeService implements
Configuration serverConf = new Configuration(conf); Configuration serverConf = new Configuration(conf);
// TODO Security settings.
YarnRPC rpc = YarnRPC.create(conf); YarnRPC rpc = YarnRPC.create(conf);
// Kerberos based authentication to be used for CollectorNodemanager
// protocol if security is enabled.
server = server =
rpc.getServer(CollectorNodemanagerProtocol.class, this, rpc.getServer(CollectorNodemanagerProtocol.class, this,
collectorServerAddress, serverConf, collectorServerAddress, serverConf, null,
this.context.getNMTokenSecretManager(),
conf.getInt(YarnConfiguration.NM_COLLECTOR_SERVICE_THREAD_COUNT, conf.getInt(YarnConfiguration.NM_COLLECTOR_SERVICE_THREAD_COUNT,
YarnConfiguration.DEFAULT_NM_COLLECTOR_SERVICE_THREAD_COUNT)); YarnConfiguration.DEFAULT_NM_COLLECTOR_SERVICE_THREAD_COUNT));
@ -93,7 +93,6 @@ public class NMCollectorService extends CompositeService implements
LOG.info("NMCollectorService started at " + collectorServerAddress); LOG.info("NMCollectorService started at " + collectorServerAddress);
} }
@Override @Override
public void serviceStop() throws Exception { public void serviceStop() throws Exception {
if (server != null) { if (server != null) {

View File

@ -244,7 +244,8 @@ public class AuxServices extends AbstractService
for (AuxiliaryService serv : serviceMap.values()) { for (AuxiliaryService serv : serviceMap.values()) {
try { try {
serv.initializeContainer(new ContainerInitializationContext( serv.initializeContainer(new ContainerInitializationContext(
event.getUser(), event.getContainer().getContainerId(), event.getContainer().getUser(),
event.getContainer().getContainerId(),
event.getContainer().getResource(), event.getContainer() event.getContainer().getResource(), event.getContainer()
.getContainerTokenIdentifier().getContainerType())); .getContainerTokenIdentifier().getContainerType()));
} catch (Throwable th) { } catch (Throwable th) {

View File

@ -19,6 +19,7 @@
package org.apache.hadoop.yarn.server.nodemanager.timelineservice; package org.apache.hadoop.yarn.server.nodemanager.timelineservice;
import java.io.IOException; import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
@ -26,6 +27,7 @@ import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.CompositeService; import org.apache.hadoop.service.CompositeService;
import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ContainerId;
@ -77,6 +79,8 @@ public class NMTimelinePublisher extends CompositeService {
private String httpAddress; private String httpAddress;
private UserGroupInformation nmLoginUGI;
private final Map<ApplicationId, TimelineV2Client> appToClientMap; private final Map<ApplicationId, TimelineV2Client> appToClientMap;
public NMTimelinePublisher(Context context) { public NMTimelinePublisher(Context context) {
@ -91,6 +95,9 @@ public class NMTimelinePublisher extends CompositeService {
dispatcher.register(NMTimelineEventType.class, dispatcher.register(NMTimelineEventType.class,
new ForwardingEventHandler()); new ForwardingEventHandler());
addIfService(dispatcher); addIfService(dispatcher);
this.nmLoginUGI = UserGroupInformation.isSecurityEnabled() ?
UserGroupInformation.getLoginUser() :
UserGroupInformation.getCurrentUser();
super.serviceInit(conf); super.serviceInit(conf);
} }
@ -398,11 +405,23 @@ public class NMTimelinePublisher extends CompositeService {
public void createTimelineClient(ApplicationId appId) { public void createTimelineClient(ApplicationId appId) {
if (!appToClientMap.containsKey(appId)) { if (!appToClientMap.containsKey(appId)) {
try {
TimelineV2Client timelineClient =
nmLoginUGI.doAs(new PrivilegedExceptionAction<TimelineV2Client>() {
@Override
public TimelineV2Client run() throws Exception {
TimelineV2Client timelineClient = TimelineV2Client timelineClient =
TimelineV2Client.createTimelineClient(appId); TimelineV2Client.createTimelineClient(appId);
timelineClient.init(getConfig()); timelineClient.init(getConfig());
timelineClient.start(); timelineClient.start();
return timelineClient;
}
});
appToClientMap.put(appId, timelineClient); appToClientMap.put(appId, timelineClient);
} catch (IOException | InterruptedException | RuntimeException |
Error e) {
LOG.warn("Unable to create timeline client for app " + appId, e);
}
} }
} }

View File

@ -0,0 +1,69 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.yarn.server.timelineservice.security;
import java.lang.annotation.Annotation;
import org.apache.hadoop.classification.InterfaceAudience.Public;
import org.apache.hadoop.classification.InterfaceStability.Evolving;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.SecurityInfo;
import org.apache.hadoop.security.token.TokenInfo;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.api.CollectorNodemanagerProtocolPB;
/**
* SecurityInfo implementation for CollectorNodemanager protocol.
*/
@Public
@Evolving
public class CollectorNodemanagerSecurityInfo extends SecurityInfo {
@Override
public KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf) {
if (!protocol
.equals(CollectorNodemanagerProtocolPB.class)) {
return null;
}
return new KerberosInfo() {
@Override
public Class<? extends Annotation> annotationType() {
return null;
}
@Override
public String serverPrincipal() {
return YarnConfiguration.NM_PRINCIPAL;
}
@Override
public String clientPrincipal() {
return null;
}
};
}
@Override
public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
return null;
}
}

View File

@ -0,0 +1,14 @@
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
org.apache.hadoop.yarn.server.timelineservice.security.CollectorNodemanagerSecurityInfo