From c0a419b134867d66f221899c79ddca413c2622d8 Mon Sep 17 00:00:00 2001 From: Xuan Date: Wed, 17 Jun 2015 16:27:01 -0700 Subject: [PATCH] YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena --- hadoop-yarn-project/CHANGES.txt | 3 ++ .../server/resourcemanager/AdminService.java | 19 +++++--- .../resourcemanager/TestRMAdminService.java | 48 ++++++++++++++++++- 3 files changed, 62 insertions(+), 8 deletions(-) diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index a7123f40899..9b537376488 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -157,6 +157,9 @@ Release 2.7.1 - UNRELEASED YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent to another. (Wangda Tan via jianhe) + YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl + (Varun Saxena via xgong) + Release 2.7.0 - 2015-04-20 INCOMPATIBLE CHANGES diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java index 35aba7e5284..e9141d33f19 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java @@ -109,6 +109,8 @@ public class AdminService extends CompositeService implements private final RecordFactory recordFactory = RecordFactoryProvider.getRecordFactory(null); + private UserGroupInformation daemonUser; + public AdminService(ResourceManager rm, RMContext rmContext) { super(AdminService.class.getName()); this.rm = rm; @@ -132,15 +134,22 @@ public class AdminService extends CompositeService implements YarnConfiguration.RM_ADMIN_ADDRESS, YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS, YarnConfiguration.DEFAULT_RM_ADMIN_PORT); + daemonUser = UserGroupInformation.getCurrentUser(); authorizer = YarnAuthorizationProvider.getInstance(conf); - authorizer.setAdmins(new AccessControlList(conf.get( - YarnConfiguration.YARN_ADMIN_ACL, - YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation + authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation .getCurrentUser()); rmId = conf.get(YarnConfiguration.RM_HA_ID); super.serviceInit(conf); } + private AccessControlList getAdminAclList(Configuration conf) { + AccessControlList aclList = + new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL, + YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)); + aclList.addUser(daemonUser.getShortUserName()); + return aclList; + } + @Override protected void serviceStart() throws Exception { startServer(); @@ -450,9 +459,7 @@ public class AdminService extends CompositeService implements Configuration conf = getConfiguration(new Configuration(false), YarnConfiguration.YARN_SITE_CONFIGURATION_FILE); - authorizer.setAdmins(new AccessControlList(conf.get( - YarnConfiguration.YARN_ADMIN_ACL, - YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation + authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation .getCurrentUser()); RMAuditLogger.logSuccess(user.getShortUserName(), argName, "AdminService"); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java index 1bd3dbfd447..6e422064e11 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java @@ -25,6 +25,7 @@ import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.PrintWriter; +import java.security.AccessControlException; import java.util.ArrayList; import java.util.List; import java.util.Set; @@ -200,7 +201,8 @@ public class TestRMAdminService { rm.adminService.getAccessControlList().getAclString().trim(); Assert.assertTrue(!aclStringAfter.equals(aclStringBefore)); - Assert.assertEquals(aclStringAfter, "world:anyone:rwcda"); + Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," + + UserGroupInformation.getCurrentUser().getShortUserName()); } @Test @@ -685,7 +687,8 @@ public class TestRMAdminService { String aclStringAfter = resourceManager.adminService.getAccessControlList() .getAclString().trim(); - Assert.assertEquals(aclStringAfter, "world:anyone:rwcda"); + Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," + + UserGroupInformation.getCurrentUser().getShortUserName()); // validate values for queue configuration CapacityScheduler cs = @@ -751,6 +754,47 @@ public class TestRMAdminService { } } + /* For verifying fix for YARN-3804 */ + @Test + public void testRefreshAclWithDaemonUser() throws Exception { + String daemonUser = + UserGroupInformation.getCurrentUser().getShortUserName(); + configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS, + "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider"); + + uploadDefaultConfiguration(); + YarnConfiguration yarnConf = new YarnConfiguration(); + yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz"); + uploadConfiguration(yarnConf, "yarn-site.xml"); + + try { + rm = new MockRM(configuration); + rm.init(configuration); + rm.start(); + } catch(Exception ex) { + fail("Should not get any exceptions"); + } + + Assert.assertEquals(daemonUser + "xyz," + daemonUser, + rm.adminService.getAccessControlList().getAclString().trim()); + + yarnConf = new YarnConfiguration(); + yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc"); + uploadConfiguration(yarnConf, "yarn-site.xml"); + try { + rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance()); + } catch (YarnException e) { + if (e.getCause() != null && + e.getCause() instanceof AccessControlException) { + fail("Refresh should not have failed due to incorrect ACL"); + } + throw e; + } + + Assert.assertEquals(daemonUser + "abc," + daemonUser, + rm.adminService.getAccessControlList().getAclString().trim()); + } + private String writeConfigurationXML(Configuration conf, String confXMLName) throws IOException { DataOutputStream output = null;