Search in sources :

Example 1 with ReservationACL

use of org.apache.hadoop.yarn.api.records.ReservationACL in project hadoop by apache.

the class ClientRMService method checkReservationACLs.

private String checkReservationACLs(String queueName, String auditConstant, ReservationId reservationId) throws YarnException, IOException {
    UserGroupInformation callerUGI;
    try {
        callerUGI = UserGroupInformation.getCurrentUser();
    } catch (IOException ie) {
        RMAuditLogger.logFailure("UNKNOWN", auditConstant, queueName, "ClientRMService", "Error getting UGI");
        throw RPCUtil.getRemoteException(ie);
    }
    if (reservationSystem == null) {
        return callerUGI.getShortUserName();
    }
    ReservationsACLsManager manager = reservationSystem.getReservationsACLsManager();
    ReservationACL reservationACL = getReservationACLFromAuditConstant(auditConstant);
    if (manager == null) {
        return callerUGI.getShortUserName();
    }
    String reservationCreatorName = "";
    ReservationAllocation reservation;
    // Get the user associated with the reservation.
    Plan plan = reservationSystem.getPlan(queueName);
    if (reservationId != null && plan != null) {
        reservation = plan.getReservationById(reservationId);
        if (reservation != null) {
            reservationCreatorName = reservation.getUser();
        }
    }
    // access will be given.
    if (reservationCreatorName != null && !reservationCreatorName.isEmpty() && reservationCreatorName.equals(callerUGI.getUserName())) {
        return callerUGI.getShortUserName();
    }
    // Check if the user has access to the specific ACL
    if (manager.checkAccess(callerUGI, reservationACL, queueName)) {
        return callerUGI.getShortUserName();
    }
    // If the user has Administer ACL then access is granted
    if (manager.checkAccess(callerUGI, ReservationACL.ADMINISTER_RESERVATIONS, queueName)) {
        return callerUGI.getShortUserName();
    }
    handleNoAccess(callerUGI.getShortUserName(), queueName, auditConstant, reservationACL.toString(), reservationACL.name());
    throw new IllegalStateException();
}
Also used : ReservationsACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.ReservationsACLsManager) ReservationACL(org.apache.hadoop.yarn.api.records.ReservationACL) IOException(java.io.IOException) Plan(org.apache.hadoop.yarn.server.resourcemanager.reservation.Plan) ReservationAllocation(org.apache.hadoop.yarn.server.resourcemanager.reservation.ReservationAllocation) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with ReservationACL

use of org.apache.hadoop.yarn.api.records.ReservationACL in project hadoop by apache.

the class ReservationACLsTestBase method createCapacitySchedulerConfiguration.

private static Configuration createCapacitySchedulerConfiguration() {
    CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
    csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] { QUEUEA, QUEUEB, QUEUEC });
    String absoluteQueueA = CapacitySchedulerConfiguration.ROOT + "." + QUEUEA;
    String absoluteQueueB = CapacitySchedulerConfiguration.ROOT + "." + QUEUEB;
    String absoluteQueueC = CapacitySchedulerConfiguration.ROOT + "." + QUEUEC;
    csConf.setCapacity(absoluteQueueA, 50f);
    csConf.setCapacity(absoluteQueueB, 20f);
    csConf.setCapacity(absoluteQueueC, 30f);
    csConf.setReservable(absoluteQueueA, true);
    csConf.setReservable(absoluteQueueB, true);
    csConf.setReservable(absoluteQueueC, true);
    // Set up ACLs on Queue A
    Map<ReservationACL, AccessControlList> reservationAclsOnQueueA = new HashMap<>();
    AccessControlList submitACLonQueueA = new AccessControlList(QUEUE_A_USER);
    AccessControlList adminACLonQueueA = new AccessControlList(QUEUE_A_ADMIN);
    AccessControlList listACLonQueueA = new AccessControlList(COMMON_USER);
    reservationAclsOnQueueA.put(ReservationACL.SUBMIT_RESERVATIONS, submitACLonQueueA);
    reservationAclsOnQueueA.put(ReservationACL.ADMINISTER_RESERVATIONS, adminACLonQueueA);
    reservationAclsOnQueueA.put(ReservationACL.LIST_RESERVATIONS, listACLonQueueA);
    csConf.setReservationAcls(absoluteQueueA, reservationAclsOnQueueA);
    // Set up ACLs on Queue B
    Map<ReservationACL, AccessControlList> reservationAclsOnQueueB = new HashMap<>();
    AccessControlList submitACLonQueueB = new AccessControlList(QUEUE_B_USER);
    AccessControlList adminACLonQueueB = new AccessControlList(QUEUE_B_ADMIN);
    AccessControlList listACLonQueueB = new AccessControlList(COMMON_USER);
    reservationAclsOnQueueB.put(ReservationACL.SUBMIT_RESERVATIONS, submitACLonQueueB);
    reservationAclsOnQueueB.put(ReservationACL.ADMINISTER_RESERVATIONS, adminACLonQueueB);
    reservationAclsOnQueueB.put(ReservationACL.LIST_RESERVATIONS, listACLonQueueB);
    csConf.setReservationAcls(absoluteQueueB, reservationAclsOnQueueB);
    csConf.setBoolean(YarnConfiguration.RM_RESERVATION_SYSTEM_ENABLE, true);
    csConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
    csConf.setBoolean(YarnConfiguration.YARN_RESERVATION_ACL_ENABLE, true);
    csConf.set(YarnConfiguration.RM_SCHEDULER, CapacityScheduler.class.getName());
    return csConf;
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HashMap(java.util.HashMap) ReservationACL(org.apache.hadoop.yarn.api.records.ReservationACL) CapacitySchedulerConfiguration(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration) CapacityScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler)

Example 3 with ReservationACL

use of org.apache.hadoop.yarn.api.records.ReservationACL in project hadoop by apache.

the class AllocationFileLoaderService method loadQueue.

/**
   * Loads a queue from a queue element in the configuration file
   */
private void loadQueue(String parentName, Element element, Map<String, Resource> minQueueResources, Map<String, Resource> maxQueueResources, Map<String, Resource> maxChildQueueResources, Map<String, Integer> queueMaxApps, Map<String, Integer> userMaxApps, Map<String, Float> queueMaxAMShares, Map<String, ResourceWeights> queueWeights, Map<String, SchedulingPolicy> queuePolicies, Map<String, Long> minSharePreemptionTimeouts, Map<String, Long> fairSharePreemptionTimeouts, Map<String, Float> fairSharePreemptionThresholds, Map<String, Map<AccessType, AccessControlList>> queueAcls, Map<String, Map<ReservationACL, AccessControlList>> resAcls, Map<FSQueueType, Set<String>> configuredQueues, Set<String> reservableQueues, Set<String> nonPreemptableQueues) throws AllocationConfigurationException {
    String queueName = CharMatcher.WHITESPACE.trimFrom(element.getAttribute("name"));
    if (queueName.contains(".")) {
        throw new AllocationConfigurationException("Bad fair scheduler config " + "file: queue name (" + queueName + ") shouldn't contain period.");
    }
    if (queueName.isEmpty()) {
        throw new AllocationConfigurationException("Bad fair scheduler config " + "file: queue name shouldn't be empty or " + "consist only of whitespace.");
    }
    if (parentName != null) {
        queueName = parentName + "." + queueName;
    }
    Map<AccessType, AccessControlList> acls = new HashMap<>();
    Map<ReservationACL, AccessControlList> racls = new HashMap<>();
    NodeList fields = element.getChildNodes();
    boolean isLeaf = true;
    boolean isReservable = false;
    for (int j = 0; j < fields.getLength(); j++) {
        Node fieldNode = fields.item(j);
        if (!(fieldNode instanceof Element))
            continue;
        Element field = (Element) fieldNode;
        if ("minResources".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            Resource val = FairSchedulerConfiguration.parseResourceConfigValue(text);
            minQueueResources.put(queueName, val);
        } else if ("maxResources".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            Resource val = FairSchedulerConfiguration.parseResourceConfigValue(text);
            maxQueueResources.put(queueName, val);
        } else if ("maxChildResources".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            Resource val = FairSchedulerConfiguration.parseResourceConfigValue(text);
            maxChildQueueResources.put(queueName, val);
        } else if ("maxRunningApps".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            int val = Integer.parseInt(text);
            queueMaxApps.put(queueName, val);
        } else if ("maxAMShare".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            float val = Float.parseFloat(text);
            val = Math.min(val, 1.0f);
            queueMaxAMShares.put(queueName, val);
        } else if ("weight".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            double val = Double.parseDouble(text);
            queueWeights.put(queueName, new ResourceWeights((float) val));
        } else if ("minSharePreemptionTimeout".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            long val = Long.parseLong(text) * 1000L;
            minSharePreemptionTimeouts.put(queueName, val);
        } else if ("fairSharePreemptionTimeout".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            long val = Long.parseLong(text) * 1000L;
            fairSharePreemptionTimeouts.put(queueName, val);
        } else if ("fairSharePreemptionThreshold".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            float val = Float.parseFloat(text);
            val = Math.max(Math.min(val, 1.0f), 0.0f);
            fairSharePreemptionThresholds.put(queueName, val);
        } else if ("schedulingPolicy".equals(field.getTagName()) || "schedulingMode".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            SchedulingPolicy policy = SchedulingPolicy.parse(text);
            queuePolicies.put(queueName, policy);
        } else if ("aclSubmitApps".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData();
            acls.put(AccessType.SUBMIT_APP, new AccessControlList(text));
        } else if ("aclAdministerApps".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData();
            acls.put(AccessType.ADMINISTER_QUEUE, new AccessControlList(text));
        } else if ("aclAdministerReservations".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData();
            racls.put(ReservationACL.ADMINISTER_RESERVATIONS, new AccessControlList(text));
        } else if ("aclListReservations".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData();
            racls.put(ReservationACL.LIST_RESERVATIONS, new AccessControlList(text));
        } else if ("aclSubmitReservations".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData();
            racls.put(ReservationACL.SUBMIT_RESERVATIONS, new AccessControlList(text));
        } else if ("reservation".equals(field.getTagName())) {
            isReservable = true;
            reservableQueues.add(queueName);
            configuredQueues.get(FSQueueType.PARENT).add(queueName);
        } else if ("allowPreemptionFrom".equals(field.getTagName())) {
            String text = ((Text) field.getFirstChild()).getData().trim();
            if (!Boolean.parseBoolean(text)) {
                nonPreemptableQueues.add(queueName);
            }
        } else if ("queue".endsWith(field.getTagName()) || "pool".equals(field.getTagName())) {
            loadQueue(queueName, field, minQueueResources, maxQueueResources, maxChildQueueResources, queueMaxApps, userMaxApps, queueMaxAMShares, queueWeights, queuePolicies, minSharePreemptionTimeouts, fairSharePreemptionTimeouts, fairSharePreemptionThresholds, queueAcls, resAcls, configuredQueues, reservableQueues, nonPreemptableQueues);
            isLeaf = false;
        }
    }
    // then store it as a parent queue
    if (isLeaf && !"parent".equals(element.getAttribute("type"))) {
        configuredQueues.get(FSQueueType.LEAF).add(queueName);
    } else {
        if (isReservable) {
            throw new AllocationConfigurationException("The configuration settings" + " for " + queueName + " are invalid. A queue element that " + "contains child queue elements or that has the type='parent' " + "attribute cannot also include a reservation element.");
        }
        configuredQueues.get(FSQueueType.PARENT).add(queueName);
    }
    // The root queue defaults to all access
    for (QueueACL acl : QueueACL.values()) {
        AccessType accessType = SchedulerUtils.toAccessType(acl);
        if (acls.get(accessType) == null) {
            AccessControlList defaultAcl = queueName.equals(ROOT) ? EVERYBODY_ACL : NOBODY_ACL;
            acls.put(accessType, defaultAcl);
        }
    }
    queueAcls.put(queueName, acls);
    resAcls.put(queueName, racls);
    if (maxQueueResources.containsKey(queueName) && minQueueResources.containsKey(queueName) && !Resources.fitsIn(minQueueResources.get(queueName), maxQueueResources.get(queueName))) {
        LOG.warn(String.format("Queue %s has max resources %s less than " + "min resources %s", queueName, maxQueueResources.get(queueName), minQueueResources.get(queueName)));
    }
}
Also used : AccessControlList(org.apache.hadoop.security.authorize.AccessControlList) HashMap(java.util.HashMap) NodeList(org.w3c.dom.NodeList) Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) Resource(org.apache.hadoop.yarn.api.records.Resource) QueueACL(org.apache.hadoop.yarn.api.records.QueueACL) Text(org.w3c.dom.Text) ResourceWeights(org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights) ReservationACL(org.apache.hadoop.yarn.api.records.ReservationACL) AccessType(org.apache.hadoop.yarn.security.AccessType)

Aggregations

ReservationACL (org.apache.hadoop.yarn.api.records.ReservationACL)3 HashMap (java.util.HashMap)2 AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)2 IOException (java.io.IOException)1 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1 QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)1 Resource (org.apache.hadoop.yarn.api.records.Resource)1 AccessType (org.apache.hadoop.yarn.security.AccessType)1 Plan (org.apache.hadoop.yarn.server.resourcemanager.reservation.Plan)1 ReservationAllocation (org.apache.hadoop.yarn.server.resourcemanager.reservation.ReservationAllocation)1 ResourceWeights (org.apache.hadoop.yarn.server.resourcemanager.resource.ResourceWeights)1 CapacityScheduler (org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler)1 CapacitySchedulerConfiguration (org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration)1 ReservationsACLsManager (org.apache.hadoop.yarn.server.resourcemanager.security.ReservationsACLsManager)1 Element (org.w3c.dom.Element)1 Node (org.w3c.dom.Node)1 NodeList (org.w3c.dom.NodeList)1 Text (org.w3c.dom.Text)1