MAPREDUCE-3175. Add authorization to admin web-pages such as /stacks, /jmx etc. Contributed by Jonathan Eagles.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1189619 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
33dc6578de
commit
5fadd4de2a
|
@ -1792,6 +1792,9 @@ Release 0.23.0 - Unreleased
|
||||||
MAPREDUCE-3264. mapreduce.job.user.name needs to be set automatically.
|
MAPREDUCE-3264. mapreduce.job.user.name needs to be set automatically.
|
||||||
(acmurthy via mahadev)
|
(acmurthy via mahadev)
|
||||||
|
|
||||||
|
MAPREDUCE-3175. Add authorization to admin web-pages such as /stacks, /jmx
|
||||||
|
etc. (Jonathan Eagles via acmurthy)
|
||||||
|
|
||||||
Release 0.22.0 - Unreleased
|
Release 0.22.0 - Unreleased
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -0,0 +1,140 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.security;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
|
import org.apache.hadoop.yarn.YarnException;
|
||||||
|
|
||||||
|
public class AdminACLsManager {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Log object for this class
|
||||||
|
*/
|
||||||
|
static Log LOG = LogFactory.getLog(AdminACLsManager.class);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The current user at the time of object creation
|
||||||
|
*/
|
||||||
|
private final UserGroupInformation owner;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds list of administrator users
|
||||||
|
*/
|
||||||
|
private final AccessControlList adminAcl;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* True if ACLs are enabled
|
||||||
|
*
|
||||||
|
* @see YarnConfiguration#YARN_ACL_ENABLE
|
||||||
|
* @see YarnConfiguration#DEFAULT_YARN_ACL_ENABLE
|
||||||
|
*/
|
||||||
|
private final boolean aclsEnabled;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Constructs and initializes this AdminACLsManager
|
||||||
|
*
|
||||||
|
* @param conf configuration for this object to use
|
||||||
|
*/
|
||||||
|
public AdminACLsManager(Configuration conf) {
|
||||||
|
|
||||||
|
this.adminAcl = new AccessControlList(conf.get(
|
||||||
|
YarnConfiguration.YARN_ADMIN_ACL,
|
||||||
|
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
|
||||||
|
try {
|
||||||
|
owner = UserGroupInformation.getCurrentUser();
|
||||||
|
adminAcl.addUser(owner.getShortUserName());
|
||||||
|
} catch (IOException e){
|
||||||
|
LOG.warn("Could not add current user to admin:" + e);
|
||||||
|
throw new YarnException(e);
|
||||||
|
}
|
||||||
|
|
||||||
|
aclsEnabled = conf.getBoolean(YarnConfiguration.YARN_ACL_ENABLE,
|
||||||
|
YarnConfiguration.DEFAULT_YARN_ACL_ENABLE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the owner
|
||||||
|
*
|
||||||
|
* @return Current user at the time of object creation
|
||||||
|
*/
|
||||||
|
public UserGroupInformation getOwner() {
|
||||||
|
return owner;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether ACLs are enabled
|
||||||
|
*
|
||||||
|
* @see YarnConfiguration#YARN_ACL_ENABLE
|
||||||
|
* @see YarnConfiguration#DEFAULT_YARN_ACL_ENABLE
|
||||||
|
* @return <tt>true</tt> if ACLs are enabled
|
||||||
|
*/
|
||||||
|
public boolean areACLsEnabled() {
|
||||||
|
return aclsEnabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the internal structure used to maintain administrator ACLs
|
||||||
|
*
|
||||||
|
* @return Structure used to maintain administrator access
|
||||||
|
*/
|
||||||
|
public AccessControlList getAdminAcl() {
|
||||||
|
return adminAcl;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether the specified user/group is an administrator
|
||||||
|
*
|
||||||
|
* @param callerUGI user/group to to check
|
||||||
|
* @return <tt>true</tt> if the UserGroupInformation specified
|
||||||
|
* is a member of the access control list for administrators
|
||||||
|
*/
|
||||||
|
public boolean isAdmin(UserGroupInformation callerUGI) {
|
||||||
|
return adminAcl.isUserAllowed(callerUGI);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns whether the specified user/group has administrator access
|
||||||
|
*
|
||||||
|
* @param callerUGI user/group to to check
|
||||||
|
* @return <tt>true</tt> if the UserGroupInformation specified
|
||||||
|
* is a member of the access control list for administrators
|
||||||
|
* and ACLs are enabled for this cluster
|
||||||
|
*
|
||||||
|
* @see #getAdminAcl
|
||||||
|
* @see #areACLsEnabled
|
||||||
|
*/
|
||||||
|
public boolean checkAccess(UserGroupInformation callerUGI) {
|
||||||
|
|
||||||
|
// Any user may perform this operation if authorization is not enabled
|
||||||
|
if (!areACLsEnabled()) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Administrators may perform any operation
|
||||||
|
return isAdmin(callerUGI);
|
||||||
|
}
|
||||||
|
}
|
|
@ -31,6 +31,7 @@ import javax.servlet.http.HttpServlet;
|
||||||
import org.apache.commons.lang.StringUtils;
|
import org.apache.commons.lang.StringUtils;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.http.HttpServer;
|
import org.apache.hadoop.http.HttpServer;
|
||||||
|
import org.apache.hadoop.yarn.security.AdminACLsManager;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
|
@ -178,7 +179,7 @@ public class WebApps {
|
||||||
}
|
}
|
||||||
HttpServer server =
|
HttpServer server =
|
||||||
new HttpServer(name, bindAddress, port, findPort, conf,
|
new HttpServer(name, bindAddress, port, findPort, conf,
|
||||||
webapp.getServePathSpecs());
|
new AdminACLsManager(conf).getAdminAcl(), null, webapp.getServePathSpecs());
|
||||||
for(ServletStruct struct: servlets) {
|
for(ServletStruct struct: servlets) {
|
||||||
server.addServlet(struct.name, struct.spec, struct.clazz);
|
server.addServlet(struct.name, struct.spec, struct.clazz);
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,7 +32,7 @@ import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
|
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
|
||||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
import org.apache.hadoop.yarn.security.AdminACLsManager;
|
||||||
|
|
||||||
@InterfaceAudience.Private
|
@InterfaceAudience.Private
|
||||||
public class ApplicationACLsManager {
|
public class ApplicationACLsManager {
|
||||||
|
@ -41,20 +41,17 @@ public class ApplicationACLsManager {
|
||||||
.getLog(ApplicationACLsManager.class);
|
.getLog(ApplicationACLsManager.class);
|
||||||
|
|
||||||
private final Configuration conf;
|
private final Configuration conf;
|
||||||
private final AccessControlList adminAcl;
|
private final AdminACLsManager adminAclsManager;
|
||||||
private final ConcurrentMap<ApplicationId, Map<ApplicationAccessType, AccessControlList>> applicationACLS
|
private final ConcurrentMap<ApplicationId, Map<ApplicationAccessType, AccessControlList>> applicationACLS
|
||||||
= new ConcurrentHashMap<ApplicationId, Map<ApplicationAccessType, AccessControlList>>();
|
= new ConcurrentHashMap<ApplicationId, Map<ApplicationAccessType, AccessControlList>>();
|
||||||
|
|
||||||
public ApplicationACLsManager(Configuration conf) {
|
public ApplicationACLsManager(Configuration conf) {
|
||||||
this.conf = conf;
|
this.conf = conf;
|
||||||
this.adminAcl = new AccessControlList(conf.get(
|
this.adminAclsManager = new AdminACLsManager(conf);
|
||||||
YarnConfiguration.YARN_ADMIN_ACL,
|
|
||||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean areACLsEnabled() {
|
public boolean areACLsEnabled() {
|
||||||
return conf.getBoolean(YarnConfiguration.YARN_ACL_ENABLE,
|
return adminAclsManager.areACLsEnabled();
|
||||||
YarnConfiguration.DEFAULT_YARN_ACL_ENABLE);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void addApplication(ApplicationId appId,
|
public void addApplication(ApplicationId appId,
|
||||||
|
@ -107,7 +104,7 @@ public class ApplicationACLsManager {
|
||||||
.get(applicationId).get(applicationAccessType);
|
.get(applicationId).get(applicationAccessType);
|
||||||
|
|
||||||
// Allow application-owner for any type of access on the application
|
// Allow application-owner for any type of access on the application
|
||||||
if (this.adminAcl.isUserAllowed(callerUGI)
|
if (this.adminAclsManager.isAdmin(callerUGI)
|
||||||
|| user.equals(applicationOwner)
|
|| user.equals(applicationOwner)
|
||||||
|| applicationACL.isUserAllowed(callerUGI)) {
|
|| applicationACL.isUserAllowed(callerUGI)) {
|
||||||
return true;
|
return true;
|
||||||
|
|
Loading…
Reference in New Issue