Search in sources :

Example 11 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class TestApplicationACLs method verifyEnemyAccess.

private void verifyEnemyAccess() throws Exception {
    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
    final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);
    ApplicationClientProtocol enemyRmClient = getRMClientForUser(ENEMY);
    // View as the enemy
    ApplicationReport appReport = enemyRmClient.getApplicationReport(appReportRequest).getApplicationReport();
    verifyEnemyAppReport(appReport);
    // List apps as enemy
    List<ApplicationReport> appReports = enemyRmClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList();
    Assert.assertEquals("App view by enemy should list the apps!!", 4, appReports.size());
    for (ApplicationReport report : appReports) {
        verifyEnemyAppReport(report);
    }
    // Kill app as the enemy
    try {
        enemyRmClient.forceKillApplication(finishAppRequest);
        Assert.fail("App killing by the enemy should fail!!");
    } catch (YarnException e) {
        LOG.info("Got exception while killing app as the enemy", e);
        Assert.assertTrue(e.getMessage().contains("User enemy cannot perform operation MODIFY_APP on " + applicationId));
    }
    rmClient.forceKillApplication(finishAppRequest);
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) ApplicationReport(org.apache.hadoop.yarn.api.records.ApplicationReport) GetApplicationReportRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest) KillApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) ApplicationClientProtocol(org.apache.hadoop.yarn.api.ApplicationClientProtocol) YarnException(org.apache.hadoop.yarn.exceptions.YarnException)

Example 12 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class AppPriorityACLConfigurationParser method getPriorityAcl.

public List<AppPriorityACLGroup> getPriorityAcl(Priority clusterMaxPriority, String aclString) {
    List<AppPriorityACLGroup> aclList = new ArrayList<AppPriorityACLGroup>();
    Matcher matcher = Pattern.compile(PATTERN_FOR_PRIORITY_ACL).matcher(aclString);
    /*
     * Each ACL group will be separated by "[]". Syntax of each ACL group could
     * be like below "user=b1,b2 group=g1 max-priority=a2 default-priority=a1"
     * Ideally this means "for this given user/group, maximum possible priority
     * is a2 and if the user has not specified any priority, then it is a1."
     */
    while (matcher.find()) {
        // Get the first ACL sub-group.
        String aclSubGroup = matcher.group(1);
        if (aclSubGroup.trim().isEmpty()) {
            continue;
        }
        /*
       * Internal storage is PriorityACLGroup which stores each parsed priority
       * ACLs group. This will help while looking for a user to priority mapping
       * during app submission time. ACLs will be passed in below order only. 1.
       * user/group 2. max-priority 3. default-priority
       */
        AppPriorityACLGroup userPriorityACL = new AppPriorityACLGroup();
        // userAndGroupName will hold user acl and group acl as interim storage
        // since both user/group acl comes with separate key value pairs.
        List<StringBuilder> userAndGroupName = new ArrayList<>();
        for (String kvPair : aclSubGroup.trim().split(" +")) {
            /*
         * There are 3 possible options for key here: 1. user/group 2.
         * max-priority 3. default-priority
         */
            String[] splits = kvPair.split("=");
            // Ensure that each ACL sub string is key value pair separated by '='.
            if (splits != null && splits.length > 1) {
                parsePriorityACLType(userPriorityACL, splits, userAndGroupName);
            }
        }
        // handle here.
        if (userPriorityACL.getMaxPriority().getPriority() > clusterMaxPriority.getPriority()) {
            LOG.warn("ACL configuration for '" + userPriorityACL.getMaxPriority() + "' is greater that cluster max priority. Resetting ACLs to " + clusterMaxPriority);
            userPriorityACL.setMaxPriority(Priority.newInstance(clusterMaxPriority.getPriority()));
        }
        AccessControlList acl = createACLStringForPriority(userAndGroupName);
        userPriorityACL.setACLList(acl);
        aclList.add(userPriorityACL);
    }
    return aclList;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) Matcher(java.util.regex.Matcher) ArrayList(java.util.ArrayList)

Example 13 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class QueueConfigurationParser method createHierarchy.

/**
   * @param parent Name of the parent queue
   * @param queueNode
   * @return
   */
private Queue createHierarchy(String parent, Element queueNode) {
    if (queueNode == null) {
        return null;
    }
    //Name of the current queue.
    //Complete qualified queue name.
    String name = "";
    Queue newQueue = new Queue();
    Map<String, AccessControlList> acls = new HashMap<String, AccessControlList>();
    NodeList fields = queueNode.getChildNodes();
    validate(queueNode);
    List<Element> subQueues = new ArrayList<Element>();
    String submitKey = "";
    String adminKey = "";
    for (int j = 0; j < fields.getLength(); j++) {
        Node fieldNode = fields.item(j);
        if (!(fieldNode instanceof Element)) {
            continue;
        }
        Element field = (Element) fieldNode;
        if (QUEUE_NAME_TAG.equals(field.getTagName())) {
            String nameValue = field.getTextContent();
            if (field.getTextContent() == null || field.getTextContent().trim().equals("") || field.getTextContent().contains(NAME_SEPARATOR)) {
                throw new RuntimeException("Improper queue name : " + nameValue);
            }
            if (!parent.equals("")) {
                name += parent + NAME_SEPARATOR;
            }
            //generate the complete qualified name
            //parent.child
            name += nameValue;
            newQueue.setName(name);
            submitKey = toFullPropertyName(name, QueueACL.SUBMIT_JOB.getAclName());
            adminKey = toFullPropertyName(name, QueueACL.ADMINISTER_JOBS.getAclName());
        }
        if (QUEUE_TAG.equals(field.getTagName()) && field.hasChildNodes()) {
            subQueues.add(field);
        }
        if (isAclsEnabled()) {
            if (ACL_SUBMIT_JOB_TAG.equals(field.getTagName())) {
                acls.put(submitKey, new AccessControlList(field.getTextContent()));
            }
            if (ACL_ADMINISTER_JOB_TAG.equals(field.getTagName())) {
                acls.put(adminKey, new AccessControlList(field.getTextContent()));
            }
        }
        if (PROPERTIES_TAG.equals(field.getTagName())) {
            Properties properties = populateProperties(field);
            newQueue.setProperties(properties);
        }
        if (STATE_TAG.equals(field.getTagName())) {
            String state = field.getTextContent();
            newQueue.setState(QueueState.getState(state));
        }
    }
    if (!acls.containsKey(submitKey)) {
        acls.put(submitKey, new AccessControlList(" "));
    }
    if (!acls.containsKey(adminKey)) {
        acls.put(adminKey, new AccessControlList(" "));
    }
    //Set acls
    newQueue.setAcls(acls);
    for (Element field : subQueues) {
        newQueue.addChild(createHierarchy(newQueue.getName(), field));
    }
    return newQueue;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HashMap(java.util.HashMap) NodeList(org.w3c.dom.NodeList) Element(org.w3c.dom.Element) Node(org.w3c.dom.Node) ArrayList(java.util.ArrayList) Properties(java.util.Properties)

Example 14 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class QueueManager method dumpConfiguration.

/**
   * method to perform depth-first search and write the parameters of every 
   * queue in JSON format.
   * @param dumpGenerator JsonGenerator object which takes the dump and flushes
   *  to a writer object
   * @param rootQueues the top-level queues
   * @throws JsonGenerationException
   * @throws IOException
   */
private static void dumpConfiguration(JsonGenerator dumpGenerator, Set<Queue> rootQueues) throws JsonGenerationException, IOException {
    for (Queue queue : rootQueues) {
        dumpGenerator.writeStartObject();
        dumpGenerator.writeStringField("name", queue.getName());
        dumpGenerator.writeStringField("state", queue.getState().toString());
        AccessControlList submitJobList = null;
        AccessControlList administerJobsList = null;
        if (queue.getAcls() != null) {
            submitJobList = queue.getAcls().get(toFullPropertyName(queue.getName(), QueueACL.SUBMIT_JOB.getAclName()));
            administerJobsList = queue.getAcls().get(toFullPropertyName(queue.getName(), QueueACL.ADMINISTER_JOBS.getAclName()));
        }
        String aclsSubmitJobValue = " ";
        if (submitJobList != null) {
            aclsSubmitJobValue = submitJobList.getAclString();
        }
        dumpGenerator.writeStringField("acl_submit_job", aclsSubmitJobValue);
        String aclsAdministerValue = " ";
        if (administerJobsList != null) {
            aclsAdministerValue = administerJobsList.getAclString();
        }
        dumpGenerator.writeStringField("acl_administer_jobs", aclsAdministerValue);
        dumpGenerator.writeFieldName("properties");
        dumpGenerator.writeStartArray();
        if (queue.getProperties() != null) {
            for (Map.Entry<Object, Object> property : queue.getProperties().entrySet()) {
                dumpGenerator.writeStartObject();
                dumpGenerator.writeStringField("key", (String) property.getKey());
                dumpGenerator.writeStringField("value", (String) property.getValue());
                dumpGenerator.writeEndObject();
            }
        }
        dumpGenerator.writeEndArray();
        Set<Queue> childQueues = queue.getChildren();
        dumpGenerator.writeFieldName("children");
        dumpGenerator.writeStartArray();
        if (childQueues != null && childQueues.size() > 0) {
            dumpConfiguration(dumpGenerator, childQueues);
        }
        dumpGenerator.writeEndArray();
        dumpGenerator.writeEndObject();
    }
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HashMap(java.util.HashMap) Map(java.util.Map)

Example 15 with AccessControlList

use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.

the class QueueManager method hasAccess.

/**
   * Return true if the given user is part of the ACL for the given
   * {@link QueueACL} name for the given queue.
   * <p>
   * An operation is allowed if all users are provided access for this
   * operation, or if either the user or any of the groups specified is
   * provided access.
   *
   * @param queueName Queue on which the operation needs to be performed.
   * @param qACL      The queue ACL name to be checked
   * @param ugi       The user and groups who wish to perform the operation.
   * @return true     if the operation is allowed, false otherwise.
   */
public synchronized boolean hasAccess(String queueName, QueueACL qACL, UserGroupInformation ugi) {
    Queue q = leafQueues.get(queueName);
    if (q == null) {
        LOG.info("Queue " + queueName + " is not present");
        return false;
    }
    if (q.getChildren() != null && !q.getChildren().isEmpty()) {
        LOG.info("Cannot submit job to parent queue " + q.getName());
        return false;
    }
    if (!areAclsEnabled()) {
        return true;
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Checking access for the acl " + toFullPropertyName(queueName, qACL.getAclName()) + " for user " + ugi.getShortUserName());
    }
    AccessControlList acl = q.getAcls().get(toFullPropertyName(queueName, qACL.getAclName()));
    if (acl == null) {
        return false;
    }
    // Check if user is part of the ACL
    return acl.isUserAllowed(ugi);
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)

Aggregations

AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)62 Configuration (org.apache.hadoop.conf.Configuration)20 HashMap (java.util.HashMap)18 Test (org.junit.Test)15 JobACL (org.apache.hadoop.mapreduce.JobACL)10 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10 ServletContext (javax.servlet.ServletContext)5 ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5 GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5 KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5 IOException (java.io.IOException)4 URI (java.net.URI)4 ArrayList (java.util.ArrayList)4 Map (java.util.Map)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4 ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4 QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)3 AccessType (org.apache.hadoop.yarn.security.AccessType)3