Examples with AccessControlList org.apache.hadoop.security.authorize.AccessControlList used on opensource projects

Search in sources :

Example 6 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class QueueACLsTestBase method createACLs.

private Map<ApplicationAccessType, String> createACLs(String submitter, boolean setupACLs) {
    AccessControlList viewACL = new AccessControlList("");
    AccessControlList modifyACL = new AccessControlList("");
    if (setupACLs) {
        viewACL.addUser(submitter);
        viewACL.addUser(COMMON_USER);
        modifyACL.addUser(submitter);
        modifyACL.addUser(COMMON_USER);
    }
    Map<ApplicationAccessType, String> acls = new HashMap<ApplicationAccessType, String>();
    acls.put(ApplicationAccessType.VIEW_APP, viewACL.getAclString());
    acls.put(ApplicationAccessType.MODIFY_APP, modifyACL.getAclString());
    return acls;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HashMap(java.util.HashMap) ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType)

Example 7 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class ReservationACLsTestBase method createCapacitySchedulerConfiguration.

private static Configuration createCapacitySchedulerConfiguration() {
    CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
    csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] { QUEUEA, QUEUEB, QUEUEC });
    String absoluteQueueA = CapacitySchedulerConfiguration.ROOT + "." + QUEUEA;
    String absoluteQueueB = CapacitySchedulerConfiguration.ROOT + "." + QUEUEB;
    String absoluteQueueC = CapacitySchedulerConfiguration.ROOT + "." + QUEUEC;
    csConf.setCapacity(absoluteQueueA, 50f);
    csConf.setCapacity(absoluteQueueB, 20f);
    csConf.setCapacity(absoluteQueueC, 30f);
    csConf.setReservable(absoluteQueueA, true);
    csConf.setReservable(absoluteQueueB, true);
    csConf.setReservable(absoluteQueueC, true);
    // Set up ACLs on Queue A
    Map<ReservationACL, AccessControlList> reservationAclsOnQueueA = new HashMap<>();
    AccessControlList submitACLonQueueA = new AccessControlList(QUEUE_A_USER);
    AccessControlList adminACLonQueueA = new AccessControlList(QUEUE_A_ADMIN);
    AccessControlList listACLonQueueA = new AccessControlList(COMMON_USER);
    reservationAclsOnQueueA.put(ReservationACL.SUBMIT_RESERVATIONS, submitACLonQueueA);
    reservationAclsOnQueueA.put(ReservationACL.ADMINISTER_RESERVATIONS, adminACLonQueueA);
    reservationAclsOnQueueA.put(ReservationACL.LIST_RESERVATIONS, listACLonQueueA);
    csConf.setReservationAcls(absoluteQueueA, reservationAclsOnQueueA);
    // Set up ACLs on Queue B
    Map<ReservationACL, AccessControlList> reservationAclsOnQueueB = new HashMap<>();
    AccessControlList submitACLonQueueB = new AccessControlList(QUEUE_B_USER);
    AccessControlList adminACLonQueueB = new AccessControlList(QUEUE_B_ADMIN);
    AccessControlList listACLonQueueB = new AccessControlList(COMMON_USER);
    reservationAclsOnQueueB.put(ReservationACL.SUBMIT_RESERVATIONS, submitACLonQueueB);
    reservationAclsOnQueueB.put(ReservationACL.ADMINISTER_RESERVATIONS, adminACLonQueueB);
    reservationAclsOnQueueB.put(ReservationACL.LIST_RESERVATIONS, listACLonQueueB);
    csConf.setReservationAcls(absoluteQueueB, reservationAclsOnQueueB);
    csConf.setBoolean(YarnConfiguration.RM_RESERVATION_SYSTEM_ENABLE, true);
    csConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
    csConf.setBoolean(YarnConfiguration.YARN_RESERVATION_ACL_ENABLE, true);
    csConf.set(YarnConfiguration.RM_SCHEDULER, CapacityScheduler.class.getName());
    return csConf;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HashMap(java.util.HashMap) ReservationACL(org.apache.hadoop.yarn.api.records.ReservationACL) CapacitySchedulerConfiguration(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration) CapacityScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler)

Example 8 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestJobAclsManager method testClusterNoAdmins.

@Test
public void testClusterNoAdmins() {
    Map<JobACL, AccessControlList> tmpJobACLs = new HashMap<JobACL, AccessControlList>();
    Configuration conf = new Configuration();
    String jobOwner = "testuser";
    conf.set(JobACL.VIEW_JOB.getAclName(), "");
    conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
    String noAdminUser = "testuser2";
    JobACLsManager aclsManager = new JobACLsManager(conf);
    tmpJobACLs = aclsManager.constructJobACLs(conf);
    final Map<JobACL, AccessControlList> jobACLs = tmpJobACLs;
    UserGroupInformation callerUGI = UserGroupInformation.createUserForTesting(noAdminUser, new String[] {});
    // random user should not have access
    boolean val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner, jobACLs.get(JobACL.VIEW_JOB));
    assertFalse("random user should not have view access", val);
    val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner, jobACLs.get(JobACL.MODIFY_JOB));
    assertFalse("random user should not have modify access", val);
    callerUGI = UserGroupInformation.createUserForTesting(jobOwner, new String[] {});
    // Owner should have access
    val = aclsManager.checkAccess(callerUGI, JobACL.VIEW_JOB, jobOwner, jobACLs.get(JobACL.VIEW_JOB));
    assertTrue("owner should have view access", val);
    val = aclsManager.checkAccess(callerUGI, JobACL.MODIFY_JOB, jobOwner, jobACLs.get(JobACL.MODIFY_JOB));
    assertTrue("owner should have modify access", val);
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) Configuration(org.apache.hadoop.conf.Configuration) HashMap(java.util.HashMap) JobACL(org.apache.hadoop.mapreduce.JobACL) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 9 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TimelineACLsManager method checkAccess.

public boolean checkAccess(UserGroupInformation callerUGI, ApplicationAccessType applicationAccessType, TimelineEntity entity) throws YarnException, IOException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("Verifying the access of " + (callerUGI == null ? null : callerUGI.getShortUserName()) + " on the timeline entity " + new EntityIdentifier(entity.getEntityId(), entity.getEntityType()));
    }
    if (!adminAclsManager.areACLsEnabled()) {
        return true;
    }
    // find domain owner and acls
    AccessControlListExt aclExt = aclExts.get(entity.getDomainId());
    if (aclExt == null) {
        aclExt = loadDomainFromTimelineStore(entity.getDomainId());
    }
    if (aclExt == null) {
        throw new YarnException("Domain information of the timeline entity " + new EntityIdentifier(entity.getEntityId(), entity.getEntityType()) + " doesn't exist.");
    }
    String owner = aclExt.owner;
    AccessControlList domainACL = aclExt.acls.get(applicationAccessType);
    if (domainACL == null) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ACL not found for access-type " + applicationAccessType + " for domain " + entity.getDomainId() + " owned by " + owner + ". Using default [" + YarnConfiguration.DEFAULT_YARN_APP_ACL + "]");
        }
        domainACL = new AccessControlList(YarnConfiguration.DEFAULT_YARN_APP_ACL);
    }
    if (callerUGI != null && (adminAclsManager.isAdmin(callerUGI) || callerUGI.getShortUserName().equals(owner) || domainACL.isUserAllowed(callerUGI))) {
        return true;
    }
    return false;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) EntityIdentifier(org.apache.hadoop.yarn.server.timeline.EntityIdentifier) YarnException(org.apache.hadoop.yarn.exceptions.YarnException)

Example 10 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestApplicationACLs method verifyFriendAccess.

private void verifyFriendAccess() throws Exception {
    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
    final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);
    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);
    // View as the friend
    friendClient.getApplicationReport(appReportRequest);
    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3, friendClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) GetApplicationReportRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest) KillApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) ApplicationClientProtocol(org.apache.hadoop.yarn.api.ApplicationClientProtocol)

Aggregations

AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)62 Configuration (org.apache.hadoop.conf.Configuration)20 HashMap (java.util.HashMap)18 Test (org.junit.Test)15 JobACL (org.apache.hadoop.mapreduce.JobACL)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10 ServletContext (javax.servlet.ServletContext)5 ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5 GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5 KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5 IOException (java.io.IOException)4 URI (java.net.URI)4 ArrayList (java.util.ArrayList)4 Map (java.util.Map)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4 ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4 QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)3 AccessType (org.apache.hadoop.yarn.security.AccessType)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial