YARN-7006. [ATSv2 Security] Changes for authentication for CollectorNodemanagerProtocol. Contributed by Varun Saxena
This commit is contained in:
parent
db2f7dd9bd
commit
55e5742394
|
@ -72,13 +72,13 @@ public class NMCollectorService extends CompositeService implements
|
||||||
|
|
||||||
Configuration serverConf = new Configuration(conf);
|
Configuration serverConf = new Configuration(conf);
|
||||||
|
|
||||||
// TODO Security settings.
|
|
||||||
YarnRPC rpc = YarnRPC.create(conf);
|
YarnRPC rpc = YarnRPC.create(conf);
|
||||||
|
|
||||||
|
// Kerberos based authentication to be used for CollectorNodemanager
|
||||||
|
// protocol if security is enabled.
|
||||||
server =
|
server =
|
||||||
rpc.getServer(CollectorNodemanagerProtocol.class, this,
|
rpc.getServer(CollectorNodemanagerProtocol.class, this,
|
||||||
collectorServerAddress, serverConf,
|
collectorServerAddress, serverConf, null,
|
||||||
this.context.getNMTokenSecretManager(),
|
|
||||||
conf.getInt(YarnConfiguration.NM_COLLECTOR_SERVICE_THREAD_COUNT,
|
conf.getInt(YarnConfiguration.NM_COLLECTOR_SERVICE_THREAD_COUNT,
|
||||||
YarnConfiguration.DEFAULT_NM_COLLECTOR_SERVICE_THREAD_COUNT));
|
YarnConfiguration.DEFAULT_NM_COLLECTOR_SERVICE_THREAD_COUNT));
|
||||||
|
|
||||||
|
@ -93,7 +93,6 @@ public class NMCollectorService extends CompositeService implements
|
||||||
LOG.info("NMCollectorService started at " + collectorServerAddress);
|
LOG.info("NMCollectorService started at " + collectorServerAddress);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void serviceStop() throws Exception {
|
public void serviceStop() throws Exception {
|
||||||
if (server != null) {
|
if (server != null) {
|
||||||
|
|
|
@ -244,7 +244,8 @@ public class AuxServices extends AbstractService
|
||||||
for (AuxiliaryService serv : serviceMap.values()) {
|
for (AuxiliaryService serv : serviceMap.values()) {
|
||||||
try {
|
try {
|
||||||
serv.initializeContainer(new ContainerInitializationContext(
|
serv.initializeContainer(new ContainerInitializationContext(
|
||||||
event.getUser(), event.getContainer().getContainerId(),
|
event.getContainer().getUser(),
|
||||||
|
event.getContainer().getContainerId(),
|
||||||
event.getContainer().getResource(), event.getContainer()
|
event.getContainer().getResource(), event.getContainer()
|
||||||
.getContainerTokenIdentifier().getContainerType()));
|
.getContainerTokenIdentifier().getContainerType()));
|
||||||
} catch (Throwable th) {
|
} catch (Throwable th) {
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
package org.apache.hadoop.yarn.server.nodemanager.timelineservice;
|
package org.apache.hadoop.yarn.server.nodemanager.timelineservice;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.concurrent.ConcurrentHashMap;
|
import java.util.concurrent.ConcurrentHashMap;
|
||||||
|
@ -26,6 +27,7 @@ import java.util.concurrent.ConcurrentHashMap;
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.service.CompositeService;
|
import org.apache.hadoop.service.CompositeService;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
import org.apache.hadoop.yarn.api.records.ContainerId;
|
import org.apache.hadoop.yarn.api.records.ContainerId;
|
||||||
|
@ -77,6 +79,8 @@ public class NMTimelinePublisher extends CompositeService {
|
||||||
|
|
||||||
private String httpAddress;
|
private String httpAddress;
|
||||||
|
|
||||||
|
private UserGroupInformation nmLoginUGI;
|
||||||
|
|
||||||
private final Map<ApplicationId, TimelineV2Client> appToClientMap;
|
private final Map<ApplicationId, TimelineV2Client> appToClientMap;
|
||||||
|
|
||||||
public NMTimelinePublisher(Context context) {
|
public NMTimelinePublisher(Context context) {
|
||||||
|
@ -91,6 +95,9 @@ public class NMTimelinePublisher extends CompositeService {
|
||||||
dispatcher.register(NMTimelineEventType.class,
|
dispatcher.register(NMTimelineEventType.class,
|
||||||
new ForwardingEventHandler());
|
new ForwardingEventHandler());
|
||||||
addIfService(dispatcher);
|
addIfService(dispatcher);
|
||||||
|
this.nmLoginUGI = UserGroupInformation.isSecurityEnabled() ?
|
||||||
|
UserGroupInformation.getLoginUser() :
|
||||||
|
UserGroupInformation.getCurrentUser();
|
||||||
super.serviceInit(conf);
|
super.serviceInit(conf);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -398,11 +405,23 @@ public class NMTimelinePublisher extends CompositeService {
|
||||||
|
|
||||||
public void createTimelineClient(ApplicationId appId) {
|
public void createTimelineClient(ApplicationId appId) {
|
||||||
if (!appToClientMap.containsKey(appId)) {
|
if (!appToClientMap.containsKey(appId)) {
|
||||||
|
try {
|
||||||
|
TimelineV2Client timelineClient =
|
||||||
|
nmLoginUGI.doAs(new PrivilegedExceptionAction<TimelineV2Client>() {
|
||||||
|
@Override
|
||||||
|
public TimelineV2Client run() throws Exception {
|
||||||
TimelineV2Client timelineClient =
|
TimelineV2Client timelineClient =
|
||||||
TimelineV2Client.createTimelineClient(appId);
|
TimelineV2Client.createTimelineClient(appId);
|
||||||
timelineClient.init(getConfig());
|
timelineClient.init(getConfig());
|
||||||
timelineClient.start();
|
timelineClient.start();
|
||||||
|
return timelineClient;
|
||||||
|
}
|
||||||
|
});
|
||||||
appToClientMap.put(appId, timelineClient);
|
appToClientMap.put(appId, timelineClient);
|
||||||
|
} catch (IOException | InterruptedException | RuntimeException |
|
||||||
|
Error e) {
|
||||||
|
LOG.warn("Unable to create timeline client for app " + appId, e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.server.timelineservice.security;
|
||||||
|
|
||||||
|
import java.lang.annotation.Annotation;
|
||||||
|
|
||||||
|
import org.apache.hadoop.classification.InterfaceAudience.Public;
|
||||||
|
import org.apache.hadoop.classification.InterfaceStability.Evolving;
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
|
import org.apache.hadoop.security.SecurityInfo;
|
||||||
|
import org.apache.hadoop.security.token.TokenInfo;
|
||||||
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
|
import org.apache.hadoop.yarn.server.api.CollectorNodemanagerProtocolPB;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* SecurityInfo implementation for CollectorNodemanager protocol.
|
||||||
|
*/
|
||||||
|
@Public
|
||||||
|
@Evolving
|
||||||
|
public class CollectorNodemanagerSecurityInfo extends SecurityInfo {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf) {
|
||||||
|
if (!protocol
|
||||||
|
.equals(CollectorNodemanagerProtocolPB.class)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
return new KerberosInfo() {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends Annotation> annotationType() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String serverPrincipal() {
|
||||||
|
return YarnConfiguration.NM_PRINCIPAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String clientPrincipal() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
org.apache.hadoop.yarn.server.timelineservice.security.CollectorNodemanagerSecurityInfo
|
Loading…
Reference in New Issue