Example 1 with AccessRequest
use of org.apache.hadoop.yarn.security.AccessRequest in project hadoop by apache.
the class RMAppManager method createAndPopulateNewRMApp.
private RMAppImpl createAndPopulateNewRMApp(ApplicationSubmissionContext submissionContext, long submitTime, String user, boolean isRecovery, long startTime) throws YarnException {
if (!isRecovery) {
// Do queue mapping
if (rmContext.getQueuePlacementManager() != null) {
// We only do queue mapping when it's a new application
rmContext.getQueuePlacementManager().placeApplication(submissionContext, user);
}
// fail the submission if configured application timeout value is invalid
RMServerUtils.validateApplicationTimeouts(submissionContext.getApplicationTimeouts());
}
ApplicationId applicationId = submissionContext.getApplicationId();
ResourceRequest amReq = null;
try {
amReq = validateAndCreateResourceRequest(submissionContext, isRecovery);
} catch (InvalidLabelResourceRequestException e) {
// after recovery and user can see what's going on and react accordingly.
if (isRecovery && !YarnConfiguration.areNodeLabelsEnabled(this.conf)) {
if (LOG.isDebugEnabled()) {
LOG.debug("AMResourceRequest is not created for " + applicationId + ". NodeLabel is not enabled in cluster, but AM resource " + "request contains a label expression.");
}
} else {
throw e;
}
}
// Verify and get the update application priority and set back to
// submissionContext
UserGroupInformation userUgi = UserGroupInformation.createRemoteUser(user);
Priority appPriority = scheduler.checkAndGetApplicationPriority(submissionContext.getPriority(), userUgi, submissionContext.getQueue(), applicationId);
submissionContext.setPriority(appPriority);
// For now, exclude FS for the acl check.
if (!isRecovery && YarnConfiguration.isAclEnabled(conf) && scheduler instanceof CapacityScheduler) {
String queueName = submissionContext.getQueue();
String appName = submissionContext.getApplicationName();
CSQueue csqueue = ((CapacityScheduler) scheduler).getQueue(queueName);
if (null != csqueue && !authorizer.checkPermission(new AccessRequest(csqueue.getPrivilegedEntity(), userUgi, SchedulerUtils.toAccessType(QueueACL.SUBMIT_APPLICATIONS), applicationId.toString(), appName, Server.getRemoteAddress(), null)) && !authorizer.checkPermission(new AccessRequest(csqueue.getPrivilegedEntity(), userUgi, SchedulerUtils.toAccessType(QueueACL.ADMINISTER_QUEUE), applicationId.toString(), appName, Server.getRemoteAddress(), null))) {
throw RPCUtil.getRemoteException(new AccessControlException("User " + user + " does not have permission to submit " + applicationId + " to queue " + submissionContext.getQueue()));
}
}
// Create RMApp
RMAppImpl application = new RMAppImpl(applicationId, rmContext, this.conf, submissionContext.getApplicationName(), user, submissionContext.getQueue(), submissionContext, this.scheduler, this.masterService, submitTime, submissionContext.getApplicationType(), submissionContext.getApplicationTags(), amReq, startTime);
// influence each other
if (rmContext.getRMApps().putIfAbsent(applicationId, application) != null) {
String message = "Application with id " + applicationId + " is already present! Cannot add a duplicate!";
LOG.warn(message);
throw new YarnException(message);
}
if (YarnConfiguration.timelineServiceV2Enabled(conf)) {
// Start timeline collector for the submitted app
application.startTimelineCollector();
}
// Inform the ACLs Manager
this.applicationACLsManager.addApplication(applicationId, submissionContext.getAMContainerSpec().getApplicationACLs());
String appViewACLs = submissionContext.getAMContainerSpec().getApplicationACLs().get(ApplicationAccessType.VIEW_APP);
rmContext.getSystemMetricsPublisher().appACLsUpdated(application, appViewACLs, System.currentTimeMillis());
return application;
}
Also used :
RMAppImpl(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl)
AccessRequest(org.apache.hadoop.yarn.security.AccessRequest)
Priority(org.apache.hadoop.yarn.api.records.Priority)
AccessControlException(org.apache.hadoop.security.AccessControlException)
ResourceRequest(org.apache.hadoop.yarn.api.records.ResourceRequest)
InvalidLabelResourceRequestException(org.apache.hadoop.yarn.exceptions.InvalidLabelResourceRequestException)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
CapacityScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler)
CSQueue(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CSQueue)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Aggregations
AccessControlException (org.apache.hadoop.security.AccessControlException)1
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)1
Priority (org.apache.hadoop.yarn.api.records.Priority)1
ResourceRequest (org.apache.hadoop.yarn.api.records.ResourceRequest)1
InvalidLabelResourceRequestException (org.apache.hadoop.yarn.exceptions.InvalidLabelResourceRequestException)1
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)1
AccessRequest (org.apache.hadoop.yarn.security.AccessRequest)1
RMAppImpl (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl)1
CSQueue (org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CSQueue)1
CapacityScheduler (org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler)1
