YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena
This commit is contained in:
parent
2de586f60d
commit
a826d432f9
|
@ -681,6 +681,9 @@ Release 2.7.1 - UNRELEASED
|
||||||
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
|
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
|
||||||
to another. (Wangda Tan via jianhe)
|
to another. (Wangda Tan via jianhe)
|
||||||
|
|
||||||
|
YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl
|
||||||
|
(Varun Saxena via xgong)
|
||||||
|
|
||||||
Release 2.7.0 - 2015-04-20
|
Release 2.7.0 - 2015-04-20
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -112,6 +112,8 @@ public class AdminService extends CompositeService implements
|
||||||
private final RecordFactory recordFactory =
|
private final RecordFactory recordFactory =
|
||||||
RecordFactoryProvider.getRecordFactory(null);
|
RecordFactoryProvider.getRecordFactory(null);
|
||||||
|
|
||||||
|
private UserGroupInformation daemonUser;
|
||||||
|
|
||||||
@VisibleForTesting
|
@VisibleForTesting
|
||||||
boolean isDistributedNodeLabelConfiguration = false;
|
boolean isDistributedNodeLabelConfiguration = false;
|
||||||
|
|
||||||
|
@ -138,10 +140,9 @@ public class AdminService extends CompositeService implements
|
||||||
YarnConfiguration.RM_ADMIN_ADDRESS,
|
YarnConfiguration.RM_ADMIN_ADDRESS,
|
||||||
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
|
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
|
||||||
YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
|
YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
|
||||||
|
daemonUser = UserGroupInformation.getCurrentUser();
|
||||||
authorizer = YarnAuthorizationProvider.getInstance(conf);
|
authorizer = YarnAuthorizationProvider.getInstance(conf);
|
||||||
authorizer.setAdmins(new AccessControlList(conf.get(
|
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
|
||||||
YarnConfiguration.YARN_ADMIN_ACL,
|
|
||||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
|
|
||||||
.getCurrentUser());
|
.getCurrentUser());
|
||||||
rmId = conf.get(YarnConfiguration.RM_HA_ID);
|
rmId = conf.get(YarnConfiguration.RM_HA_ID);
|
||||||
|
|
||||||
|
@ -151,6 +152,14 @@ public class AdminService extends CompositeService implements
|
||||||
super.serviceInit(conf);
|
super.serviceInit(conf);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private AccessControlList getAdminAclList(Configuration conf) {
|
||||||
|
AccessControlList aclList = new AccessControlList(conf.get(
|
||||||
|
YarnConfiguration.YARN_ADMIN_ACL,
|
||||||
|
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
|
||||||
|
aclList.addUser(daemonUser.getShortUserName());
|
||||||
|
return aclList;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void serviceStart() throws Exception {
|
protected void serviceStart() throws Exception {
|
||||||
startServer();
|
startServer();
|
||||||
|
@ -470,9 +479,7 @@ public class AdminService extends CompositeService implements
|
||||||
Configuration conf =
|
Configuration conf =
|
||||||
getConfiguration(new Configuration(false),
|
getConfiguration(new Configuration(false),
|
||||||
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
|
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
|
||||||
authorizer.setAdmins(new AccessControlList(conf.get(
|
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
|
||||||
YarnConfiguration.YARN_ADMIN_ACL,
|
|
||||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
|
|
||||||
.getCurrentUser());
|
.getCurrentUser());
|
||||||
RMAuditLogger.logSuccess(user.getShortUserName(), argName,
|
RMAuditLogger.logSuccess(user.getShortUserName(), argName,
|
||||||
"AdminService");
|
"AdminService");
|
||||||
|
|
|
@ -38,12 +38,14 @@ import org.apache.hadoop.fs.Path;
|
||||||
import org.apache.hadoop.ha.HAServiceProtocol;
|
import org.apache.hadoop.ha.HAServiceProtocol;
|
||||||
import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
|
import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
|
||||||
import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo;
|
import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo;
|
||||||
|
import org.apache.hadoop.security.AccessControlException;
|
||||||
import org.apache.hadoop.security.GroupMappingServiceProvider;
|
import org.apache.hadoop.security.GroupMappingServiceProvider;
|
||||||
import org.apache.hadoop.security.Groups;
|
import org.apache.hadoop.security.Groups;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||||
import org.apache.hadoop.security.authorize.ProxyUsers;
|
import org.apache.hadoop.security.authorize.ProxyUsers;
|
||||||
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
|
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
|
||||||
|
import org.apache.hadoop.yarn.LocalConfigurationProvider;
|
||||||
import org.apache.hadoop.yarn.api.records.DecommissionType;
|
import org.apache.hadoop.yarn.api.records.DecommissionType;
|
||||||
import org.apache.hadoop.yarn.api.records.NodeId;
|
import org.apache.hadoop.yarn.api.records.NodeId;
|
||||||
import org.apache.hadoop.yarn.conf.HAUtil;
|
import org.apache.hadoop.yarn.conf.HAUtil;
|
||||||
|
@ -208,7 +210,8 @@ public class TestRMAdminService {
|
||||||
rm.adminService.getAccessControlList().getAclString().trim();
|
rm.adminService.getAccessControlList().getAclString().trim();
|
||||||
|
|
||||||
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
|
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
|
||||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
|
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
|
||||||
|
UserGroupInformation.getCurrentUser().getShortUserName());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -695,7 +698,8 @@ public class TestRMAdminService {
|
||||||
String aclStringAfter =
|
String aclStringAfter =
|
||||||
resourceManager.adminService.getAccessControlList()
|
resourceManager.adminService.getAccessControlList()
|
||||||
.getAclString().trim();
|
.getAclString().trim();
|
||||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
|
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
|
||||||
|
UserGroupInformation.getCurrentUser().getShortUserName());
|
||||||
|
|
||||||
// validate values for queue configuration
|
// validate values for queue configuration
|
||||||
CapacityScheduler cs =
|
CapacityScheduler cs =
|
||||||
|
@ -761,6 +765,47 @@ public class TestRMAdminService {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* For verifying fix for YARN-3804 */
|
||||||
|
@Test
|
||||||
|
public void testRefreshAclWithDaemonUser() throws Exception {
|
||||||
|
String daemonUser =
|
||||||
|
UserGroupInformation.getCurrentUser().getShortUserName();
|
||||||
|
configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
|
||||||
|
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
|
||||||
|
|
||||||
|
uploadDefaultConfiguration();
|
||||||
|
YarnConfiguration yarnConf = new YarnConfiguration();
|
||||||
|
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz");
|
||||||
|
uploadConfiguration(yarnConf, "yarn-site.xml");
|
||||||
|
|
||||||
|
try {
|
||||||
|
rm = new MockRM(configuration);
|
||||||
|
rm.init(configuration);
|
||||||
|
rm.start();
|
||||||
|
} catch(Exception ex) {
|
||||||
|
fail("Should not get any exceptions");
|
||||||
|
}
|
||||||
|
|
||||||
|
assertEquals(daemonUser + "xyz," + daemonUser,
|
||||||
|
rm.adminService.getAccessControlList().getAclString().trim());
|
||||||
|
|
||||||
|
yarnConf = new YarnConfiguration();
|
||||||
|
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc");
|
||||||
|
uploadConfiguration(yarnConf, "yarn-site.xml");
|
||||||
|
try {
|
||||||
|
rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance());
|
||||||
|
} catch (YarnException e) {
|
||||||
|
if (e.getCause() != null &&
|
||||||
|
e.getCause() instanceof AccessControlException) {
|
||||||
|
fail("Refresh should not have failed due to incorrect ACL");
|
||||||
|
}
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
|
||||||
|
assertEquals(daemonUser + "abc," + daemonUser,
|
||||||
|
rm.adminService.getAccessControlList().getAclString().trim());
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled()
|
public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled()
|
||||||
throws IOException, YarnException {
|
throws IOException, YarnException {
|
||||||
|
|
Loading…
Reference in New Issue