YARN-8544. [DS] AM registration fails when hadoop authorization is enabled. Contributed by Bibin A Chundatt.
This commit is contained in:
parent
16f9aee5f5
commit
8461278833
@ -242,4 +242,24 @@
|
||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||
A special value of "*" means all users are allowed.</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>security.applicationmaster-nodemanager.applicationmaster.protocol.acl</name>
|
||||
<value>*</value>
|
||||
<description>ACL for ApplicationMasterProtocol, used by the Nodemanager
|
||||
and ApplicationMasters to communicate.
|
||||
The ACL is a comma-separated list of user and group names. The user and
|
||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||
A special value of "*" means all users are allowed.</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>security.distributedscheduling.protocol.acl</name>
|
||||
<value>*</value>
|
||||
<description>ACL for DistributedSchedulingAMProtocol, used by the Nodemanager
|
||||
and Resourcemanager to communicate.
|
||||
The ACL is a comma-separated list of user and group names. The user and
|
||||
group list is separated by a blank. For e.g. "alice,bob users,wheel".
|
||||
A special value of "*" means all users are allowed.</description>
|
||||
</property>
|
||||
</configuration>
|
||||
|
@ -468,6 +468,10 @@
|
||||
<Bug pattern="DC_DOUBLECHECK" />
|
||||
</Match>
|
||||
|
||||
<Match>
|
||||
<Class name="org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider"/>
|
||||
<Bug pattern="DC_DOUBLECHECK" />
|
||||
</Match>
|
||||
<!-- ApplicationClassLoader is deprecated and moved to hadoop-common; ignore
|
||||
warning on the identical name as it should be removed later -->
|
||||
<Match>
|
||||
|
@ -2248,6 +2248,9 @@ public static boolean isAclEnabled(Configuration conf) {
|
||||
public static final String
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_APPLICATIONMASTER_PROTOCOL =
|
||||
"security.applicationmaster.protocol.acl";
|
||||
public static final String
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_DISTRIBUTEDSCHEDULING_PROTOCOL =
|
||||
"security.distributedscheduling.protocol.acl";
|
||||
|
||||
public static final String
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_CONTAINER_MANAGEMENT_PROTOCOL =
|
||||
@ -2264,6 +2267,10 @@ public static boolean isAclEnabled(Configuration conf) {
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_COLLECTOR_NODEMANAGER_PROTOCOL =
|
||||
"security.collector-nodemanager.protocol.acl";
|
||||
|
||||
public static final String
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_APPLICATIONMASTER_NODEMANAGER_PROTOCOL =
|
||||
"security.applicationmaster-nodemanager.applicationmaster.protocol.acl";
|
||||
|
||||
/** No. of milliseconds to wait between sending a SIGTERM and SIGKILL
|
||||
* to a running container */
|
||||
public static final String NM_SLEEP_DELAY_BEFORE_SIGKILL_MS =
|
||||
|
@ -68,6 +68,10 @@ public void initializeMemberVariables() {
|
||||
.YARN_SECURITY_SERVICE_AUTHORIZATION_RESOURCETRACKER_PROTOCOL);
|
||||
configurationPropsToSkipCompare.add(YarnConfiguration
|
||||
.YARN_SECURITY_SERVICE_AUTHORIZATION_COLLECTOR_NODEMANAGER_PROTOCOL);
|
||||
configurationPropsToSkipCompare.add(YarnConfiguration
|
||||
.YARN_SECURITY_SERVICE_AUTHORIZATION_DISTRIBUTEDSCHEDULING_PROTOCOL);
|
||||
configurationPropsToSkipCompare.add(YarnConfiguration
|
||||
.YARN_SECURITY_SERVICE_AUTHORIZATION_APPLICATIONMASTER_NODEMANAGER_PROTOCOL);
|
||||
configurationPropsToSkipCompare.add(YarnConfiguration.CURATOR_LEADER_ELECTOR);
|
||||
configurationPropsToSkipCompare
|
||||
.add(YarnConfiguration.RM_RESERVATION_SYSTEM_MAX_PERIODICITY);
|
||||
|
@ -70,6 +70,8 @@
|
||||
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredAMRMProxyState;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.scheduler.DistributedScheduler;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.security.authorize
|
||||
.NMPolicyProvider;
|
||||
import org.apache.hadoop.yarn.server.security.MasterKeyData;
|
||||
import org.apache.hadoop.yarn.server.utils.BuilderUtils;
|
||||
import org.apache.hadoop.yarn.server.utils.YarnServerSecurityUtils;
|
||||
@ -169,6 +171,12 @@ protected void serviceStart() throws Exception {
|
||||
listenerEndpoint, serverConf, this.secretManager,
|
||||
numWorkerThreads);
|
||||
|
||||
if (conf
|
||||
.getBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
|
||||
false)) {
|
||||
this.server.refreshServiceAcl(conf, NMPolicyProvider.getInstance());
|
||||
}
|
||||
|
||||
this.server.start();
|
||||
LOG.info("AMRMProxyService listening on address: "
|
||||
+ this.server.getListenerAddress());
|
||||
|
@ -87,7 +87,7 @@ protected void serviceStart() throws Exception {
|
||||
|
||||
if (conf.getBoolean(
|
||||
CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false)) {
|
||||
server.refreshServiceAcl(conf, new NMPolicyProvider());
|
||||
server.refreshServiceAcl(conf, NMPolicyProvider.getInstance());
|
||||
}
|
||||
|
||||
server.start();
|
||||
|
@ -610,7 +610,7 @@ protected void serviceStart() throws Exception {
|
||||
if (conf.getBoolean(
|
||||
CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
|
||||
false)) {
|
||||
refreshServiceAcls(conf, new NMPolicyProvider());
|
||||
refreshServiceAcls(conf, NMPolicyProvider.getInstance());
|
||||
}
|
||||
|
||||
String bindHost = conf.get(YarnConfiguration.NM_BIND_HOST);
|
||||
|
@ -406,7 +406,7 @@ Server createServer() {
|
||||
if (conf.getBoolean(
|
||||
CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
|
||||
false)) {
|
||||
server.refreshServiceAcl(conf, new NMPolicyProvider());
|
||||
server.refreshServiceAcl(conf, NMPolicyProvider.getInstance());
|
||||
}
|
||||
|
||||
return server;
|
||||
|
@ -21,6 +21,7 @@
|
||||
import org.apache.hadoop.classification.InterfaceStability;
|
||||
import org.apache.hadoop.security.authorize.PolicyProvider;
|
||||
import org.apache.hadoop.security.authorize.Service;
|
||||
import org.apache.hadoop.yarn.api.ApplicationMasterProtocolPB;
|
||||
import org.apache.hadoop.yarn.api.ContainerManagementProtocolPB;
|
||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||
import org.apache.hadoop.yarn.server.api.CollectorNodemanagerProtocolPB;
|
||||
@ -32,7 +33,24 @@
|
||||
@InterfaceAudience.Private
|
||||
@InterfaceStability.Unstable
|
||||
public class NMPolicyProvider extends PolicyProvider {
|
||||
|
||||
|
||||
private static NMPolicyProvider nmPolicyProvider = null;
|
||||
|
||||
private NMPolicyProvider() {}
|
||||
|
||||
@InterfaceAudience.Private
|
||||
@InterfaceStability.Unstable
|
||||
public static NMPolicyProvider getInstance() {
|
||||
if (nmPolicyProvider == null) {
|
||||
synchronized(NMPolicyProvider.class) {
|
||||
if (nmPolicyProvider == null) {
|
||||
nmPolicyProvider = new NMPolicyProvider();
|
||||
}
|
||||
}
|
||||
}
|
||||
return nmPolicyProvider;
|
||||
}
|
||||
|
||||
private static final Service[] NODE_MANAGER_SERVICES =
|
||||
new Service[] {
|
||||
new Service(YarnConfiguration.
|
||||
@ -43,7 +61,10 @@ public class NMPolicyProvider extends PolicyProvider {
|
||||
LocalizationProtocolPB.class),
|
||||
new Service(YarnConfiguration.
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_COLLECTOR_NODEMANAGER_PROTOCOL,
|
||||
CollectorNodemanagerProtocolPB.class)
|
||||
CollectorNodemanagerProtocolPB.class),
|
||||
new Service(YarnConfiguration.
|
||||
YARN_SECURITY_SERVICE_AUTHORIZATION_APPLICATIONMASTER_NODEMANAGER_PROTOCOL,
|
||||
ApplicationMasterProtocolPB.class),
|
||||
};
|
||||
|
||||
@Override
|
||||
|
@ -29,6 +29,7 @@
|
||||
import org.apache.hadoop.yarn.api.ApplicationClientProtocolPB;
|
||||
import org.apache.hadoop.yarn.api.ContainerManagementProtocolPB;
|
||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||
import org.apache.hadoop.yarn.server.api.DistributedSchedulingAMProtocolPB;
|
||||
import org.apache.hadoop.yarn.server.api.ResourceManagerAdministrationProtocolPB;
|
||||
import org.apache.hadoop.yarn.server.api.ResourceTrackerPB;
|
||||
|
||||
@ -67,6 +68,8 @@ public static RMPolicyProvider getInstance() {
|
||||
new Service(
|
||||
YarnConfiguration.YARN_SECURITY_SERVICE_AUTHORIZATION_APPLICATIONMASTER_PROTOCOL,
|
||||
ApplicationMasterProtocolPB.class),
|
||||
new Service(YarnConfiguration.YARN_SECURITY_SERVICE_AUTHORIZATION_DISTRIBUTEDSCHEDULING_PROTOCOL,
|
||||
DistributedSchedulingAMProtocolPB.class),
|
||||
new Service(
|
||||
YarnConfiguration.YARN_SECURITY_SERVICE_AUTHORIZATION_RESOURCEMANAGER_ADMINISTRATION_PROTOCOL,
|
||||
ResourceManagerAdministrationProtocolPB.class),
|
||||
|
Loading…
Reference in New Issue
Block a user