YARN-7038. [Atsv2 Security] CollectorNodemanagerProtocol RPC interface doesn't work when service authorization is enabled. Contributed by Varun Saxena.
This commit is contained in:
parent
b664569586
commit
32188d3295
@ -223,4 +223,15 @@
|
||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||
A special value of "*" means all users are allowed.</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>security.collector-nodemanager.protocol.acl</name>
|
||||
<value>*</value>
|
||||
<description>ACL for CollectorNodemanagerProtocol, used by nodemanager
|
||||
if timeline service v2 is enabled, for the timeline collector and nodemanager
|
||||
to communicate with each other.
|
||||
The ACL is a comma-separated list of user and group names. The user and
|
||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||
A special value of "*" means all users are allowed.</description>
|
||||
</property>
|
||||
</configuration>
|
||||
|
@ -1782,6 +1782,10 @@ public static boolean isAclEnabled(Configuration conf) {
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_APPLICATIONHISTORY_PROTOCOL =
|
||||
"security.applicationhistory.protocol.acl";
|
||||
|
||||
public static final String
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_COLLECTOR_NODEMANAGER_PROTOCOL =
|
||||
"security.collector-nodemanager.protocol.acl";
|
||||
|
||||
/** No. of milliseconds to wait between sending a SIGTERM and SIGKILL
|
||||
* to a running container */
|
||||
public static final String NM_SLEEP_DELAY_BEFORE_SIGKILL_MS =
|
||||
|
@ -66,6 +66,8 @@ public void initializeMemberVariables() {
|
||||
configurationPropsToSkipCompare
|
||||
.add(YarnConfiguration
|
||||
.YARN_SECURITY_SERVICE_AUTHORIZATION_RESOURCETRACKER_PROTOCOL);
|
||||
configurationPropsToSkipCompare.add(YarnConfiguration
|
||||
.YARN_SECURITY_SERVICE_AUTHORIZATION_COLLECTOR_NODEMANAGER_PROTOCOL);
|
||||
configurationPropsToSkipCompare.add(YarnConfiguration.CURATOR_LEADER_ELECTOR);
|
||||
|
||||
// Federation default configs to be ignored
|
||||
|
@ -26,6 +26,7 @@
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
|
||||
import org.apache.hadoop.ipc.Server;
|
||||
import org.apache.hadoop.service.CompositeService;
|
||||
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||
@ -40,6 +41,7 @@
|
||||
import org.apache.hadoop.yarn.server.api.records.AppCollectorData;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.Context;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.containermanager.application.Application;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.timelineservice.NMTimelinePublisher;
|
||||
|
||||
/**
|
||||
@ -83,6 +85,11 @@ protected void serviceStart() throws Exception {
|
||||
conf.getInt(YarnConfiguration.NM_COLLECTOR_SERVICE_THREAD_COUNT,
|
||||
YarnConfiguration.DEFAULT_NM_COLLECTOR_SERVICE_THREAD_COUNT));
|
||||
|
||||
if (conf.getBoolean(
|
||||
CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false)) {
|
||||
server.refreshServiceAcl(conf, new NMPolicyProvider());
|
||||
}
|
||||
|
||||
server.start();
|
||||
collectorServerAddress = conf.updateConnectAddr(
|
||||
YarnConfiguration.NM_BIND_HOST,
|
||||
|
@ -23,6 +23,7 @@
|
||||
import org.apache.hadoop.security.authorize.Service;
|
||||
import org.apache.hadoop.yarn.api.ContainerManagementProtocolPB;
|
||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||
import org.apache.hadoop.yarn.server.api.CollectorNodemanagerProtocolPB;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.api.LocalizationProtocolPB;
|
||||
|
||||
/**
|
||||
@ -38,7 +39,10 @@ public class NMPolicyProvider extends PolicyProvider {
|
||||
YarnConfiguration.YARN_SECURITY_SERVICE_AUTHORIZATION_CONTAINER_MANAGEMENT_PROTOCOL,
|
||||
ContainerManagementProtocolPB.class),
|
||||
new Service(YarnConfiguration.YARN_SECURITY_SERVICE_AUTHORIZATION_RESOURCE_LOCALIZER,
|
||||
LocalizationProtocolPB.class)
|
||||
LocalizationProtocolPB.class),
|
||||
new Service(YarnConfiguration.
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_COLLECTOR_NODEMANAGER_PROTOCOL,
|
||||
CollectorNodemanagerProtocolPB.class)
|
||||
};
|
||||
|
||||
@Override
|
||||
|
Loading…
Reference in New Issue
Block a user