YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena
This commit is contained in:
parent
2de586f60d
commit
a826d432f9
@ -681,6 +681,9 @@ Release 2.7.1 - UNRELEASED
|
||||
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
|
||||
to another. (Wangda Tan via jianhe)
|
||||
|
||||
YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl
|
||||
(Varun Saxena via xgong)
|
||||
|
||||
Release 2.7.0 - 2015-04-20
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -112,6 +112,8 @@ public class AdminService extends CompositeService implements
|
||||
private final RecordFactory recordFactory =
|
||||
RecordFactoryProvider.getRecordFactory(null);
|
||||
|
||||
private UserGroupInformation daemonUser;
|
||||
|
||||
@VisibleForTesting
|
||||
boolean isDistributedNodeLabelConfiguration = false;
|
||||
|
||||
@ -138,10 +140,9 @@ public void serviceInit(Configuration conf) throws Exception {
|
||||
YarnConfiguration.RM_ADMIN_ADDRESS,
|
||||
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
|
||||
YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
|
||||
daemonUser = UserGroupInformation.getCurrentUser();
|
||||
authorizer = YarnAuthorizationProvider.getInstance(conf);
|
||||
authorizer.setAdmins(new AccessControlList(conf.get(
|
||||
YarnConfiguration.YARN_ADMIN_ACL,
|
||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
|
||||
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
|
||||
.getCurrentUser());
|
||||
rmId = conf.get(YarnConfiguration.RM_HA_ID);
|
||||
|
||||
@ -151,6 +152,14 @@ public void serviceInit(Configuration conf) throws Exception {
|
||||
super.serviceInit(conf);
|
||||
}
|
||||
|
||||
private AccessControlList getAdminAclList(Configuration conf) {
|
||||
AccessControlList aclList = new AccessControlList(conf.get(
|
||||
YarnConfiguration.YARN_ADMIN_ACL,
|
||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
|
||||
aclList.addUser(daemonUser.getShortUserName());
|
||||
return aclList;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void serviceStart() throws Exception {
|
||||
startServer();
|
||||
@ -470,9 +479,7 @@ private RefreshAdminAclsResponse refreshAdminAcls(boolean checkRMHAState)
|
||||
Configuration conf =
|
||||
getConfiguration(new Configuration(false),
|
||||
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
|
||||
authorizer.setAdmins(new AccessControlList(conf.get(
|
||||
YarnConfiguration.YARN_ADMIN_ACL,
|
||||
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
|
||||
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
|
||||
.getCurrentUser());
|
||||
RMAuditLogger.logSuccess(user.getShortUserName(), argName,
|
||||
"AdminService");
|
||||
|
@ -38,12 +38,14 @@
|
||||
import org.apache.hadoop.ha.HAServiceProtocol;
|
||||
import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
|
||||
import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo;
|
||||
import org.apache.hadoop.security.AccessControlException;
|
||||
import org.apache.hadoop.security.GroupMappingServiceProvider;
|
||||
import org.apache.hadoop.security.Groups;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.apache.hadoop.security.authorize.AccessControlList;
|
||||
import org.apache.hadoop.security.authorize.ProxyUsers;
|
||||
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
|
||||
import org.apache.hadoop.yarn.LocalConfigurationProvider;
|
||||
import org.apache.hadoop.yarn.api.records.DecommissionType;
|
||||
import org.apache.hadoop.yarn.api.records.NodeId;
|
||||
import org.apache.hadoop.yarn.conf.HAUtil;
|
||||
@ -208,7 +210,8 @@ public void testAdminAclsWithFileSystemBasedConfigurationProvider()
|
||||
rm.adminService.getAccessControlList().getAclString().trim();
|
||||
|
||||
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
|
||||
UserGroupInformation.getCurrentUser().getShortUserName());
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -695,7 +698,8 @@ public void testRMInitialsWithFileSystemBasedConfigurationProvider()
|
||||
String aclStringAfter =
|
||||
resourceManager.adminService.getAccessControlList()
|
||||
.getAclString().trim();
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
|
||||
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
|
||||
UserGroupInformation.getCurrentUser().getShortUserName());
|
||||
|
||||
// validate values for queue configuration
|
||||
CapacityScheduler cs =
|
||||
@ -761,6 +765,47 @@ public void testRMInitialsWithFileSystemBasedConfigurationProvider()
|
||||
}
|
||||
}
|
||||
|
||||
/* For verifying fix for YARN-3804 */
|
||||
@Test
|
||||
public void testRefreshAclWithDaemonUser() throws Exception {
|
||||
String daemonUser =
|
||||
UserGroupInformation.getCurrentUser().getShortUserName();
|
||||
configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
|
||||
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
|
||||
|
||||
uploadDefaultConfiguration();
|
||||
YarnConfiguration yarnConf = new YarnConfiguration();
|
||||
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz");
|
||||
uploadConfiguration(yarnConf, "yarn-site.xml");
|
||||
|
||||
try {
|
||||
rm = new MockRM(configuration);
|
||||
rm.init(configuration);
|
||||
rm.start();
|
||||
} catch(Exception ex) {
|
||||
fail("Should not get any exceptions");
|
||||
}
|
||||
|
||||
assertEquals(daemonUser + "xyz," + daemonUser,
|
||||
rm.adminService.getAccessControlList().getAclString().trim());
|
||||
|
||||
yarnConf = new YarnConfiguration();
|
||||
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc");
|
||||
uploadConfiguration(yarnConf, "yarn-site.xml");
|
||||
try {
|
||||
rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance());
|
||||
} catch (YarnException e) {
|
||||
if (e.getCause() != null &&
|
||||
e.getCause() instanceof AccessControlException) {
|
||||
fail("Refresh should not have failed due to incorrect ACL");
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
|
||||
assertEquals(daemonUser + "abc," + daemonUser,
|
||||
rm.adminService.getAccessControlList().getAclString().trim());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled()
|
||||
throws IOException, YarnException {
|
||||
|
Loading…
Reference in New Issue
Block a user