YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena

This commit is contained in:
Xuan 2015-06-17 16:23:27 -07:00
parent 2de586f60d
commit a826d432f9
3 changed files with 63 additions and 8 deletions

View File

@ -681,6 +681,9 @@ Release 2.7.1 - UNRELEASED
YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent
to another. (Wangda Tan via jianhe)
YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl
(Varun Saxena via xgong)
Release 2.7.0 - 2015-04-20
INCOMPATIBLE CHANGES

View File

@ -112,6 +112,8 @@ public class AdminService extends CompositeService implements
private final RecordFactory recordFactory =
RecordFactoryProvider.getRecordFactory(null);
private UserGroupInformation daemonUser;
@VisibleForTesting
boolean isDistributedNodeLabelConfiguration = false;
@ -138,10 +140,9 @@ public void serviceInit(Configuration conf) throws Exception {
YarnConfiguration.RM_ADMIN_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
daemonUser = UserGroupInformation.getCurrentUser();
authorizer = YarnAuthorizationProvider.getInstance(conf);
authorizer.setAdmins(new AccessControlList(conf.get(
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
.getCurrentUser());
rmId = conf.get(YarnConfiguration.RM_HA_ID);
@ -151,6 +152,14 @@ public void serviceInit(Configuration conf) throws Exception {
super.serviceInit(conf);
}
private AccessControlList getAdminAclList(Configuration conf) {
AccessControlList aclList = new AccessControlList(conf.get(
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
aclList.addUser(daemonUser.getShortUserName());
return aclList;
}
@Override
protected void serviceStart() throws Exception {
startServer();
@ -470,9 +479,7 @@ private RefreshAdminAclsResponse refreshAdminAcls(boolean checkRMHAState)
Configuration conf =
getConfiguration(new Configuration(false),
YarnConfiguration.YARN_SITE_CONFIGURATION_FILE);
authorizer.setAdmins(new AccessControlList(conf.get(
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation
authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
.getCurrentUser());
RMAuditLogger.logSuccess(user.getShortUserName(), argName,
"AdminService");

View File

@ -38,12 +38,14 @@
import org.apache.hadoop.ha.HAServiceProtocol;
import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState;
import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.GroupMappingServiceProvider;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
import org.apache.hadoop.yarn.LocalConfigurationProvider;
import org.apache.hadoop.yarn.api.records.DecommissionType;
import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.conf.HAUtil;
@ -208,7 +210,8 @@ public void testAdminAclsWithFileSystemBasedConfigurationProvider()
rm.adminService.getAccessControlList().getAclString().trim();
Assert.assertTrue(!aclStringAfter.equals(aclStringBefore));
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
UserGroupInformation.getCurrentUser().getShortUserName());
}
@Test
@ -695,7 +698,8 @@ public void testRMInitialsWithFileSystemBasedConfigurationProvider()
String aclStringAfter =
resourceManager.adminService.getAccessControlList()
.getAclString().trim();
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," +
UserGroupInformation.getCurrentUser().getShortUserName());
// validate values for queue configuration
CapacityScheduler cs =
@ -761,6 +765,47 @@ public void testRMInitialsWithFileSystemBasedConfigurationProvider()
}
}
/* For verifying fix for YARN-3804 */
@Test
public void testRefreshAclWithDaemonUser() throws Exception {
String daemonUser =
UserGroupInformation.getCurrentUser().getShortUserName();
configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
uploadDefaultConfiguration();
YarnConfiguration yarnConf = new YarnConfiguration();
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz");
uploadConfiguration(yarnConf, "yarn-site.xml");
try {
rm = new MockRM(configuration);
rm.init(configuration);
rm.start();
} catch(Exception ex) {
fail("Should not get any exceptions");
}
assertEquals(daemonUser + "xyz," + daemonUser,
rm.adminService.getAccessControlList().getAclString().trim());
yarnConf = new YarnConfiguration();
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc");
uploadConfiguration(yarnConf, "yarn-site.xml");
try {
rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance());
} catch (YarnException e) {
if (e.getCause() != null &&
e.getCause() instanceof AccessControlException) {
fail("Refresh should not have failed due to incorrect ACL");
}
throw e;
}
assertEquals(daemonUser + "abc," + daemonUser,
rm.adminService.getAccessControlList().getAclString().trim());
}
@Test
public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled()
throws IOException, YarnException {