Example 26 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class ACLsTestBase method setup.
@Before
public void setup() throws InterruptedException, IOException {
conf = createConfiguration();
rpc = YarnRPC.create(conf);
rmAddress = conf.getSocketAddr(YarnConfiguration.RM_ADDRESS, YarnConfiguration.DEFAULT_RM_ADDRESS, YarnConfiguration.DEFAULT_RM_PORT);
AccessControlList adminACL = new AccessControlList("");
conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());
conf.setInt(YarnConfiguration.MAX_CLUSTER_LEVEL_APPLICATION_PRIORITY, 10);
resourceManager = new MockRM(conf) {
protected ClientRMService createClientRMService() {
return new ClientRMService(getRMContext(), this.scheduler, this.rmAppManager, this.applicationACLsManager, this.queueACLsManager, getRMContext().getRMDelegationTokenSecretManager());
}
@Override
protected Dispatcher createDispatcher() {
return new DrainDispatcher();
}
@Override
protected void doSecureLogin() throws IOException {
}
};
new Thread() {
public void run() {
resourceManager.start();
}
;
}.start();
int waitCount = 0;
while (resourceManager.getServiceState() == STATE.INITED && waitCount++ < 60) {
LOG.info("Waiting for RM to start...");
Thread.sleep(1500);
}
if (resourceManager.getServiceState() != STATE.STARTED) {
// RM could have failed.
throw new IOException("ResourceManager failed to start. Final state is " + resourceManager.getServiceState());
}
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
DrainDispatcher(org.apache.hadoop.yarn.event.DrainDispatcher)
IOException(java.io.IOException)
DrainDispatcher(org.apache.hadoop.yarn.event.DrainDispatcher)
Dispatcher(org.apache.hadoop.yarn.event.Dispatcher)
Before(org.junit.Before)
Example 27 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestApplicationACLs method verifySuperUserAccess.
private void verifySuperUserAccess() throws Exception {
AccessControlList viewACL = new AccessControlList("");
viewACL.addGroup(FRIENDLY_GROUP);
AccessControlList modifyACL = new AccessControlList("");
modifyACL.addUser(FRIEND);
ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
appReportRequest.setApplicationId(applicationId);
final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
finishAppRequest.setApplicationId(applicationId);
ApplicationClientProtocol superUserClient = getRMClientForUser(SUPER_USER);
// View as the superUser
superUserClient.getApplicationReport(appReportRequest);
// List apps as superUser
Assert.assertEquals("App view by super-user should list the apps!!", 2, superUserClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
// Kill app as the superUser
superUserClient.forceKillApplication(finishAppRequest);
resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
GetApplicationReportRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)
KillApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
ApplicationClientProtocol(org.apache.hadoop.yarn.api.ApplicationClientProtocol)
Example 28 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestApplicationACLs method verifyOwnerAccess.
private void verifyOwnerAccess() throws Exception {
AccessControlList viewACL = new AccessControlList("");
viewACL.addGroup(FRIENDLY_GROUP);
AccessControlList modifyACL = new AccessControlList("");
modifyACL.addUser(FRIEND);
ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
appReportRequest.setApplicationId(applicationId);
final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
finishAppRequest.setApplicationId(applicationId);
// View as owner
rmClient.getApplicationReport(appReportRequest);
// List apps as owner
Assert.assertEquals("App view by owner should list the apps!!", 1, rmClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
// Kill app as owner
rmClient.forceKillApplication(finishAppRequest);
resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
GetApplicationReportRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)
KillApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
Example 29 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestApplicationACLs method verifyAdministerQueueUserAccess.
private void verifyAdministerQueueUserAccess() throws Exception {
isQueueUser = true;
AccessControlList viewACL = new AccessControlList("");
viewACL.addGroup(FRIENDLY_GROUP);
AccessControlList modifyACL = new AccessControlList("");
modifyACL.addUser(FRIEND);
ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);
final GetApplicationReportRequest appReportRequest = recordFactory.newRecordInstance(GetApplicationReportRequest.class);
appReportRequest.setApplicationId(applicationId);
final KillApplicationRequest finishAppRequest = recordFactory.newRecordInstance(KillApplicationRequest.class);
finishAppRequest.setApplicationId(applicationId);
ApplicationClientProtocol administerQueueUserRmClient = getRMClientForUser(QUEUE_ADMIN_USER);
// View as the administerQueueUserRmClient
administerQueueUserRmClient.getApplicationReport(appReportRequest);
// List apps as administerQueueUserRmClient
Assert.assertEquals("App view by queue-admin-user should list the apps!!", 5, administerQueueUserRmClient.getApplications(recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
// Kill app as the administerQueueUserRmClient
administerQueueUserRmClient.forceKillApplication(finishAppRequest);
resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
GetApplicationReportRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)
KillApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
ApplicationClientProtocol(org.apache.hadoop.yarn.api.ApplicationClientProtocol)
Example 30 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestApplicationACLs method setup.
@BeforeClass
public static void setup() throws InterruptedException, IOException {
RMStateStore store = RMStateStoreFactory.getStore(conf);
conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
AccessControlList adminACL = new AccessControlList("");
adminACL.addGroup(SUPER_GROUP);
conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());
resourceManager = new MockRM(conf) {
@Override
protected QueueACLsManager createQueueACLsManager(ResourceScheduler scheduler, Configuration conf) {
QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenAnswer(new Answer() {
public Object answer(InvocationOnMock invocation) {
return isQueueUser;
}
});
return mockQueueACLsManager;
}
protected ClientRMService createClientRMService() {
return new ClientRMService(getRMContext(), this.scheduler, this.rmAppManager, this.applicationACLsManager, this.queueACLsManager, null);
}
;
};
new Thread() {
public void run() {
UserGroupInformation.createUserForTesting(ENEMY, new String[] {});
UserGroupInformation.createUserForTesting(FRIEND, new String[] { FRIENDLY_GROUP });
UserGroupInformation.createUserForTesting(SUPER_USER, new String[] { SUPER_GROUP });
resourceManager.start();
}
;
}.start();
int waitCount = 0;
while (resourceManager.getServiceState() == STATE.INITED && waitCount++ < 60) {
LOG.info("Waiting for RM to start...");
Thread.sleep(1500);
}
if (resourceManager.getServiceState() != STATE.STARTED) {
// RM could have failed.
throw new IOException("ResourceManager failed to start. Final state is " + resourceManager.getServiceState());
}
UserGroupInformation owner = UserGroupInformation.createRemoteUser(APP_OWNER);
rmClient = owner.doAs(new PrivilegedExceptionAction<ApplicationClientProtocol>() {
@Override
public ApplicationClientProtocol run() throws Exception {
return (ApplicationClientProtocol) rpc.getProxy(ApplicationClientProtocol.class, rmAddress, conf);
}
});
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
RMStateStore(org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
IOException(java.io.IOException)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
ApplicationClientProtocol(org.apache.hadoop.yarn.api.ApplicationClientProtocol)
Answer(org.mockito.stubbing.Answer)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)
ResourceScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
BeforeClass(org.junit.BeforeClass)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)62
Configuration (org.apache.hadoop.conf.Configuration)20
HashMap (java.util.HashMap)18
Test (org.junit.Test)15
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
URI (java.net.URI)4
ArrayList (java.util.ArrayList)4
Map (java.util.Map)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)3
AccessType (org.apache.hadoop.yarn.security.AccessType)3
