HADOOP-6922. COMMON part of MAPREDUCE-1664. Makes AccessControlList a writable and updates documentation for Job ACLs. Contributed by Ravi Gummadi.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@998001 13f79535-47bb-0310-9956-ffa450edef68
2010-09-17 07:25:57 +00:00 · 2010-09-17 07:25:57 +00:00 · e9c1efd4cc
parent 1bc066c7d7
commit e9c1efd4cc
3 changed files with 46 additions and 18 deletions
--- a/CHANGES.txt
+++ b/CHANGES.txt
@ -131,6 +131,9 @@ Trunk (unreleased changes)
    HADOOP-6950. Suggest that HADOOP_CLASSPATH should be preserved in 
    hadoop-env.sh.template. (Philip Zeyliger via Eli Collins)

+    HADOOP-6922. Make AccessControlList a writable and update documentation
+    for Job ACLs.  (Ravi Gummadi via vinodkv)
+
  OPTIMIZATIONS

    HADOOP-6884. Add LOG.isDebugEnabled() guard for each LOG.debug(..).
--- a/src/docs/src/documentation/content/xdocs/cluster_setup.xml
+++ b/src/docs/src/documentation/content/xdocs/cluster_setup.xml
@ -271,17 +271,25 @@
 		        If necessary, use these files to control the list of allowable 
 		        TaskTrackers.
 		      </td>
-  		    </tr>
-        <tr>
-          <td>mapreduce.cluster.job-authorization-enabled</td>
-          <td>Boolean, specifying whether job ACLs are supported for 
-              authorizing view and modification of a job</td>
-          <td>
-            If <em>true</em>, job ACLs would be checked while viewing or
-            modifying a job. More details are available at 
-            <a href ="ext:mapred-tutorial/JobAuthorization">Job Authorization</a>. 
-          </td>
-        </tr>
+      </tr>
+      <tr>
+        <td>mapreduce.cluster.acls.enabled</td>
+        <td>Boolean, specifying whether checks for queue ACLs and job ACLs
+            are to be done for authorizing users for doing queue operations and
+            job operations.
+        </td>
+        <td>
+          If <em>true</em>, queue ACLs are checked while submitting
+          and administering jobs and job ACLs are checked for authorizing
+          view and modification of jobs. Queue ACLs are specified using the
+          configuration parameters of the form defined below under
+          mapred-queues.xml. Job ACLs are described at
+          mapred-tutorial in "Job Authorization" section.
+          For enabling this flag(mapreduce.cluster.acls.enabled), this is to be
+          set to true in mapred-site.xml on JobTracker node and on all
+          TaskTracker nodes.
+        </td>
+      </tr>
  		    
 		  </table>      

@ -370,7 +378,7 @@
          </p>

          <source>
-          &lt;queues aclsEnabled="$aclsEnabled"&gt;
+          &lt;queues&gt;
            &lt;queue&gt;
              &lt;name&gt;$queue-name&lt;/name&gt;
              &lt;state&gt;$state&lt;/state&gt;
@ -509,11 +517,12 @@
            </tr>

            <tr>
-              <td>acl-administer-job</td>
+              <td>acl-administer-jobs</td>
              <td>Child element of a
              <a href="#queue_tag"><em>&lt;queue&gt;</em></a> specifying the
-              list of users and groups that can change the priority of a job
-              or kill a job that has been submitted to the specified queue.
+              list of users and groups that can view job details, change the
+              priority of a job or kill a job that has been submitted to the
+              specified queue.
              </td>
              <td>Yes</td>
              <td>
@ -522,7 +531,7 @@
              list of names. The two lists are separated by a blank.
              Example: <em>user1,user2 group1,group2</em>.
              If you wish to define only a list of groups, provide
-              a blank at the beginning of the value. Note that an
+              a blank at the beginning of the value. Note that the
              owner of a job can always change the priority or kill
              his/her own job, irrespective of the ACLs.
              </td>
--- a/src/java/org/apache/hadoop/security/authorize/AccessControlList.java
+++ b/src/java/org/apache/hadoop/security/authorize/AccessControlList.java
@ -27,6 +27,8 @@ import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.io.Writable;
+import org.apache.hadoop.io.WritableFactories;
+import org.apache.hadoop.io.WritableFactory;
 import org.apache.hadoop.security.UserGroupInformation;

 /**
@ -35,7 +37,15 @@ import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
 public class AccessControlList implements Writable {
-  
+
+  static {                                      // register a ctor
+    WritableFactories.setFactory
+    (AccessControlList.class,
+      new WritableFactory() {
+        public Writable newInstance() { return new AccessControlList(); }
+      });
+  }
+
  // Indicates an ACL string that represents access to all users
  public static final String WILDCARD_ACL_VALUE = "*";
  private static final int INITIAL_CAPACITY = 256;
@ -46,7 +56,13 @@ public class AccessControlList implements Writable {
  private Set<String> groups;
  // Whether all users are granted access.
  private boolean allAllowed;
-  
+
+  /**
+   * This constructor exists primarily for AccessControlList to be Writable.
+   */
+  public AccessControlList() {
+  }
+
  /**
   * Construct a new ACL from a String representation of the same.
   *