Example 1 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class TestUserGroupMappingPlacementRule method verifyQueueMapping.
private void verifyQueueMapping(QueueMapping queueMapping, String inputUser, String inputQueue, String expectedQueue, boolean overwrite) throws YarnException {
Groups groups = new Groups(conf);
UserGroupMappingPlacementRule rule = new UserGroupMappingPlacementRule(overwrite, Arrays.asList(queueMapping), groups);
ApplicationSubmissionContext asc = Records.newRecord(ApplicationSubmissionContext.class);
asc.setQueue(inputQueue);
String queue = rule.getQueueForApp(asc, inputUser);
Assert.assertEquals(expectedQueue, queue);
}
Also used :
Groups(org.apache.hadoop.security.Groups)
ApplicationSubmissionContext(org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext)
Example 2 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class CapacityScheduler method getUserGroupMappingPlacementRule.
@VisibleForTesting
public UserGroupMappingPlacementRule getUserGroupMappingPlacementRule() throws IOException {
try {
readLock.lock();
boolean overrideWithQueueMappings = conf.getOverrideWithQueueMappings();
LOG.info("Initialized queue mappings, override: " + overrideWithQueueMappings);
// Get new user/group mappings
List<QueueMapping> newMappings = conf.getQueueMappings();
// check if mappings refer to valid queues
for (QueueMapping mapping : newMappings) {
String mappingQueue = mapping.getQueue();
if (!mappingQueue.equals(UserGroupMappingPlacementRule.CURRENT_USER_MAPPING) && !mappingQueue.equals(UserGroupMappingPlacementRule.PRIMARY_GROUP_MAPPING)) {
CSQueue queue = getQueue(mappingQueue);
if (queue == null || !(queue instanceof LeafQueue)) {
throw new IOException("mapping contains invalid or non-leaf queue " + mappingQueue);
}
}
}
// initialize groups if mappings are present
if (newMappings.size() > 0) {
Groups groups = new Groups(conf);
return new UserGroupMappingPlacementRule(overrideWithQueueMappings, newMappings, groups);
}
return null;
} finally {
readLock.unlock();
}
}
Also used :
Groups(org.apache.hadoop.security.Groups)
UserGroupMappingPlacementRule(org.apache.hadoop.yarn.server.resourcemanager.placement.UserGroupMappingPlacementRule)
QueueMapping(org.apache.hadoop.yarn.server.resourcemanager.placement.UserGroupMappingPlacementRule.QueueMapping)
IOException(java.io.IOException)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Example 3 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class JavaSandboxLinuxContainerRuntime method isSandboxContainerWhitelisted.
/**
* Determine if the container should be whitelisted (i.e. exempt from the
* Java Security Manager).
* @param ctx The container runtime context for the requested container
* @param commands The list of run commands for the container
* @return boolean value denoting whether the container should be whitelisted.
* @throws ContainerExecutionException If container user can not be resolved
*/
private boolean isSandboxContainerWhitelisted(ContainerRuntimeContext ctx, List<String> commands) throws ContainerExecutionException {
String whitelistGroup = configuration.get(YarnConfiguration.YARN_CONTAINER_SANDBOX_WHITELIST_GROUP);
Groups groups = Groups.getUserToGroupsMappingService(configuration);
List<String> userGroups;
boolean isWhitelisted = false;
try {
userGroups = groups.getGroups(ctx.getExecutionAttribute(USER));
} catch (IOException e) {
throw new ContainerExecutionException("Container user does not exist");
}
if (whitelistGroup != null && userGroups.contains(whitelistGroup)) {
// If any command has security flag, whitelisting is disabled
for (String cmd : commands) {
if (cmd.contains(NMContainerPolicyUtils.SECURITY_FLAG)) {
isWhitelisted = false;
break;
} else {
isWhitelisted = true;
}
}
}
return isWhitelisted;
}
Also used :
ContainerExecutionException(org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException)
Groups(org.apache.hadoop.security.Groups)
IOException(java.io.IOException)
Example 4 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class TestGroupsCaching method testOnlyOneRequestWhenNoEntryIsCached.
@Test
public void testOnlyOneRequestWhenNoEntryIsCached() throws Exception {
// Disable negative cache.
conf.setLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 0);
final Groups groups = new Groups(conf);
groups.cacheGroupsAdd(Arrays.asList(myGroups));
groups.refresh();
FakeGroupMapping.clearBlackList();
FakeGroupMapping.setGetGroupsDelayMs(100);
ArrayList<Thread> threads = new ArrayList<Thread>();
for (int i = 0; i < 10; i++) {
threads.add(new Thread() {
public void run() {
try {
assertEquals(2, groups.getGroups("me").size());
} catch (IOException e) {
fail("Should not happen");
}
}
});
}
// We start a bunch of threads who all see no cached value
for (Thread t : threads) {
t.start();
}
for (Thread t : threads) {
t.join();
}
// But only one thread should have made the request
assertEquals(1, FakeGroupMapping.getRequestCount());
}
Also used :
Groups(org.apache.hadoop.security.Groups)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 5 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class TestGroupsCaching method testGroupsCaching.
@Test
public void testGroupsCaching() throws Exception {
// Disable negative cache.
conf.setLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 0);
Groups groups = new Groups(conf);
groups.cacheGroupsAdd(Arrays.asList(myGroups));
groups.refresh();
FakeGroupMapping.clearBlackList();
FakeGroupMapping.addToBlackList("user1");
// regular entry
assertTrue(groups.getGroups("me").size() == 2);
// this must be cached. blacklisting should have no effect.
FakeGroupMapping.addToBlackList("me");
assertTrue(groups.getGroups("me").size() == 2);
// ask for a negative entry
try {
TESTLOG.error("We are not supposed to get here." + groups.getGroups("user1").toString());
fail();
} catch (IOException ioe) {
if (!ioe.getMessage().startsWith("No groups found")) {
TESTLOG.error("Got unexpected exception: " + ioe.getMessage());
fail();
}
}
// this shouldn't be cached. remove from the black list and retry.
FakeGroupMapping.clearBlackList();
assertTrue(groups.getGroups("user1").size() == 2);
}
Also used :
Groups(org.apache.hadoop.security.Groups)
IOException(java.io.IOException)
Test(org.junit.Test)
Aggregations
Groups (org.apache.hadoop.security.Groups)29
Test (org.junit.Test)19
IOException (java.io.IOException)14
FakeTimer (org.apache.hadoop.util.FakeTimer)10
Configuration (org.apache.hadoop.conf.Configuration)8
ArrayList (java.util.ArrayList)5
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)3
ServletException (javax.servlet.ServletException)2
GrantedAuthority (org.springframework.security.core.GrantedAuthority)2
SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
File (java.io.File)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
Principal (java.security.Principal)1
PrivilegedActionException (java.security.PrivilegedActionException)1
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1
CertificateException (java.security.cert.CertificateException)1
ParseException (java.text.ParseException)1
TimeoutException (java.util.concurrent.TimeoutException)1
Subject (javax.security.auth.Subject)1
