YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena
This commit is contained in:
Xuan
parent
6de4d52c31
commit
c0a419b134
|
|
@ -157,6 +157,9 @@ Release 2.7.1 - UNRELEASED
|
|||
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
|
||||
to another. (Wangda Tan via jianhe)
|
||||
|
||||
YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl
|
||||
(Varun Saxena via xgong)
|
||||
|
||||
Release 2.7.0 - 2015-04-20
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
|
|
|||
|
|
@ -109,6 +109,8 @@ public class AdminService extends CompositeService implements
|
|||
private final RecordFactory recordFactory =
|
||||
RecordFactoryProvider.getRecordFactory(null);
|
||||
|
||||
private UserGroupInformation daemonUser;
|
||||
|
||||
public AdminService(ResourceManager rm, RMContext rmContext) {
|
||||
super(AdminService.class.getName());
|
||||
this.rm = rm;
|
||||
|
|
@ -132,15 +134,22 @@ public class AdminService extends CompositeService implements
|
|||
YarnConfiguration.RM_ADMIN_ADDRESS,
|
||||
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
|
||||
YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
|
||||
daemonUser = UserGroupInformation.getCurrentUser();
|
||||
authorizer = YarnAuthorizationProvider.getInstance(conf);
|
||||
authorizer.setAdmins(new AccessControlList(conf.get(
|
||||
YarnConfiguration.YARN_ADMIN_ACL,
|
||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
|
||||
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
|
||||
.getCurrentUser());
|
||||
rmId = conf.get(YarnConfiguration.RM_HA_ID);
|
||||
super.serviceInit(conf);
|
||||
}
|
||||
|
||||
private AccessControlList getAdminAclList(Configuration conf) {
|
||||
AccessControlList aclList =
|
||||
new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL,
|
||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
|
||||
aclList.addUser(daemonUser.getShortUserName());
|
||||
return aclList;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void serviceStart() throws Exception {
|
||||
startServer();
|
||||
|
|
@ -450,9 +459,7 @@ public class AdminService extends CompositeService implements
|
|||
Configuration conf =
|
||||
getConfiguration(new Configuration(false),
|
||||
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
|
||||
authorizer.setAdmins(new AccessControlList(conf.get(
|
||||
YarnConfiguration.YARN_ADMIN_ACL,
|
||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
|
||||
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
|
||||
.getCurrentUser());
|
||||
RMAuditLogger.logSuccess(user.getShortUserName(), argName,
|
||||
"AdminService");
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ import java.io.File;
|
|||
import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
import java.security.AccessControlException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
|
@ -200,7 +201,8 @@ public class TestRMAdminService {
|
|||
rm.adminService.getAccessControlList().getAclString().trim();
|
||||
|
||||
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda,"
|
||||
+ UserGroupInformation.getCurrentUser().getShortUserName());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
@ -685,7 +687,8 @@ public class TestRMAdminService {
|
|||
String aclStringAfter =
|
||||
resourceManager.adminService.getAccessControlList()
|
||||
.getAclString().trim();
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda,"
|
||||
+ UserGroupInformation.getCurrentUser().getShortUserName());
|
||||
|
||||
// validate values for queue configuration
|
||||
CapacityScheduler cs =
|
||||
|
|
@ -751,6 +754,47 @@ public class TestRMAdminService {
|
|||
}
|
||||
}
|
||||
|
||||
/* For verifying fix for YARN-3804 */
|
||||
@Test
|
||||
public void testRefreshAclWithDaemonUser() throws Exception {
|
||||
String daemonUser =
|
||||
UserGroupInformation.getCurrentUser().getShortUserName();
|
||||
configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
|
||||
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
|
||||
|
||||
uploadDefaultConfiguration();
|
||||
YarnConfiguration yarnConf = new YarnConfiguration();
|
||||
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz");
|
||||
uploadConfiguration(yarnConf, "yarn-site.xml");
|
||||
|
||||
try {
|
||||
rm = new MockRM(configuration);
|
||||
rm.init(configuration);
|
||||
rm.start();
|
||||
} catch(Exception ex) {
|
||||
fail("Should not get any exceptions");
|
||||
}
|
||||
|
||||
Assert.assertEquals(daemonUser + "xyz," + daemonUser,
|
||||
rm.adminService.getAccessControlList().getAclString().trim());
|
||||
|
||||
yarnConf = new YarnConfiguration();
|
||||
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc");
|
||||
uploadConfiguration(yarnConf, "yarn-site.xml");
|
||||
try {
|
||||
rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance());
|
||||
} catch (YarnException e) {
|
||||
if (e.getCause() != null &&
|
||||
e.getCause() instanceof AccessControlException) {
|
||||
fail("Refresh should not have failed due to incorrect ACL");
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
|
||||
Assert.assertEquals(daemonUser + "abc," + daemonUser,
|
||||
rm.adminService.getAccessControlList().getAclString().trim());
|
||||
}
|
||||
|
||||
private String writeConfigurationXML(Configuration conf, String confXMLName)
|
||||
throws IOException {
|
||||
DataOutputStream output = null;
|
||||
|
|
|
|||
Loading…
Reference in New Issue