Search in sources :

Example 1 with QueueACLsManager

use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.

the class TestClientRMService method testGetQueueInfo.

@Test
public void testGetQueueInfo() throws Exception {
    YarnScheduler yarnScheduler = mock(YarnScheduler.class);
    RMContext rmContext = mock(RMContext.class);
    mockRMContext(yarnScheduler, rmContext);
    ApplicationACLsManager mockAclsManager = mock(ApplicationACLsManager.class);
    QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
    when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenReturn(true);
    when(mockAclsManager.checkAccess(any(UserGroupInformation.class), any(ApplicationAccessType.class), anyString(), any(ApplicationId.class))).thenReturn(true);
    ClientRMService rmService = new ClientRMService(rmContext, yarnScheduler, null, mockAclsManager, mockQueueACLsManager, null);
    GetQueueInfoRequest request = recordFactory.newRecordInstance(GetQueueInfoRequest.class);
    request.setQueueName("testqueue");
    request.setIncludeApplications(true);
    GetQueueInfoResponse queueInfo = rmService.getQueueInfo(request);
    List<ApplicationReport> applications = queueInfo.getQueueInfo().getApplications();
    Assert.assertEquals(2, applications.size());
    request.setQueueName("nonexistentqueue");
    request.setIncludeApplications(true);
    // should not throw exception on nonexistent queue
    queueInfo = rmService.getQueueInfo(request);
    // Case where user does not have application access
    ApplicationACLsManager mockAclsManager1 = mock(ApplicationACLsManager.class);
    QueueACLsManager mockQueueACLsManager1 = mock(QueueACLsManager.class);
    when(mockQueueACLsManager1.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenReturn(false);
    when(mockAclsManager1.checkAccess(any(UserGroupInformation.class), any(ApplicationAccessType.class), anyString(), any(ApplicationId.class))).thenReturn(false);
    ClientRMService rmService1 = new ClientRMService(rmContext, yarnScheduler, null, mockAclsManager1, mockQueueACLsManager1, null);
    request.setQueueName("testqueue");
    request.setIncludeApplications(true);
    GetQueueInfoResponse queueInfo1 = rmService1.getQueueInfo(request);
    List<ApplicationReport> applications1 = queueInfo1.getQueueInfo().getApplications();
    Assert.assertEquals(0, applications1.size());
}
Also used : RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp) GetQueueInfoRequest(org.apache.hadoop.yarn.api.protocolrecords.GetQueueInfoRequest) GetQueueInfoResponse(org.apache.hadoop.yarn.api.protocolrecords.GetQueueInfoResponse) QueueACL(org.apache.hadoop.yarn.api.records.QueueACL) Matchers.anyString(org.mockito.Matchers.anyString) ApplicationReport(org.apache.hadoop.yarn.api.records.ApplicationReport) ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager) ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType) YarnScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler) QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 2 with QueueACLsManager

use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.

the class TestClientRMService method testGetApplications.

@Test
public void testGetApplications() throws IOException, YarnException {
    /**
     * 1. Submit 3 applications alternately in two queues
     * 2. Test each of the filters
     */
    // Basic setup
    YarnScheduler yarnScheduler = mockYarnScheduler();
    RMContext rmContext = mock(RMContext.class);
    mockRMContext(yarnScheduler, rmContext);
    RMStateStore stateStore = mock(RMStateStore.class);
    when(rmContext.getStateStore()).thenReturn(stateStore);
    doReturn(mock(RMTimelineCollectorManager.class)).when(rmContext).getRMTimelineCollectorManager();
    RMAppManager appManager = new RMAppManager(rmContext, yarnScheduler, null, mock(ApplicationACLsManager.class), new Configuration());
    when(rmContext.getDispatcher().getEventHandler()).thenReturn(new EventHandler<Event>() {

        public void handle(Event event) {
        }
    });
    ApplicationACLsManager mockAclsManager = mock(ApplicationACLsManager.class);
    QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
    when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenReturn(true);
    ClientRMService rmService = new ClientRMService(rmContext, yarnScheduler, appManager, mockAclsManager, mockQueueACLsManager, null);
    rmService.init(new Configuration());
    // Initialize appnames and queues
    String[] queues = { QUEUE_1, QUEUE_2 };
    String[] appNames = { MockApps.newAppName(), MockApps.newAppName(), MockApps.newAppName() };
    ApplicationId[] appIds = { getApplicationId(101), getApplicationId(102), getApplicationId(103) };
    List<String> tags = Arrays.asList("Tag1", "Tag2", "Tag3");
    long[] submitTimeMillis = new long[3];
    // Submit applications
    for (int i = 0; i < appIds.length; i++) {
        ApplicationId appId = appIds[i];
        when(mockAclsManager.checkAccess(UserGroupInformation.getCurrentUser(), ApplicationAccessType.VIEW_APP, null, appId)).thenReturn(true);
        SubmitApplicationRequest submitRequest = mockSubmitAppRequest(appId, appNames[i], queues[i % queues.length], new HashSet<String>(tags.subList(0, i + 1)));
        rmService.submitApplication(submitRequest);
        submitTimeMillis[i] = System.currentTimeMillis();
    }
    // Test different cases of ClientRMService#getApplications()
    GetApplicationsRequest request = GetApplicationsRequest.newInstance();
    assertEquals("Incorrect total number of apps", 6, rmService.getApplications(request).getApplicationList().size());
    // Check limit
    request.setLimit(1L);
    assertEquals("Failed to limit applications", 1, rmService.getApplications(request).getApplicationList().size());
    // Check start range
    request = GetApplicationsRequest.newInstance();
    request.setStartRange(submitTimeMillis[0], System.currentTimeMillis());
    // 2 applications are submitted after first timeMills
    assertEquals("Incorrect number of matching start range", 2, rmService.getApplications(request).getApplicationList().size());
    // 1 application is submitted after the second timeMills
    request.setStartRange(submitTimeMillis[1], System.currentTimeMillis());
    assertEquals("Incorrect number of matching start range", 1, rmService.getApplications(request).getApplicationList().size());
    // no application is submitted after the third timeMills
    request.setStartRange(submitTimeMillis[2], System.currentTimeMillis());
    assertEquals("Incorrect number of matching start range", 0, rmService.getApplications(request).getApplicationList().size());
    // Check queue
    request = GetApplicationsRequest.newInstance();
    Set<String> queueSet = new HashSet<String>();
    request.setQueues(queueSet);
    queueSet.add(queues[0]);
    assertEquals("Incorrect number of applications in queue", 2, rmService.getApplications(request).getApplicationList().size());
    assertEquals("Incorrect number of applications in queue", 2, rmService.getApplications(request, false).getApplicationList().size());
    queueSet.add(queues[1]);
    assertEquals("Incorrect number of applications in queue", 3, rmService.getApplications(request).getApplicationList().size());
    // Check user
    request = GetApplicationsRequest.newInstance();
    Set<String> userSet = new HashSet<String>();
    request.setUsers(userSet);
    userSet.add("random-user-name");
    assertEquals("Incorrect number of applications for user", 0, rmService.getApplications(request).getApplicationList().size());
    userSet.add(UserGroupInformation.getCurrentUser().getShortUserName());
    assertEquals("Incorrect number of applications for user", 3, rmService.getApplications(request).getApplicationList().size());
    // Check tags
    request = GetApplicationsRequest.newInstance(ApplicationsRequestScope.ALL, null, null, null, null, null, null, null, null);
    Set<String> tagSet = new HashSet<String>();
    request.setApplicationTags(tagSet);
    assertEquals("Incorrect number of matching tags", 6, rmService.getApplications(request).getApplicationList().size());
    tagSet = Sets.newHashSet(tags.get(0));
    request.setApplicationTags(tagSet);
    assertEquals("Incorrect number of matching tags", 3, rmService.getApplications(request).getApplicationList().size());
    tagSet = Sets.newHashSet(tags.get(1));
    request.setApplicationTags(tagSet);
    assertEquals("Incorrect number of matching tags", 2, rmService.getApplications(request).getApplicationList().size());
    tagSet = Sets.newHashSet(tags.get(2));
    request.setApplicationTags(tagSet);
    assertEquals("Incorrect number of matching tags", 1, rmService.getApplications(request).getApplicationList().size());
    // Check scope
    request = GetApplicationsRequest.newInstance(ApplicationsRequestScope.VIEWABLE);
    assertEquals("Incorrect number of applications for the scope", 6, rmService.getApplications(request).getApplicationList().size());
    request = GetApplicationsRequest.newInstance(ApplicationsRequestScope.OWN);
    assertEquals("Incorrect number of applications for the scope", 3, rmService.getApplications(request).getApplicationList().size());
}
Also used : RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp) CapacitySchedulerConfiguration(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration) Configuration(org.apache.hadoop.conf.Configuration) YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration) Matchers.anyString(org.mockito.Matchers.anyString) SubmitApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.SubmitApplicationRequest) GetApplicationsRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest) RMTimelineCollectorManager(org.apache.hadoop.yarn.server.resourcemanager.timelineservice.RMTimelineCollectorManager) ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager) YarnScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) HashSet(java.util.HashSet) RMStateStore(org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore) QueueACL(org.apache.hadoop.yarn.api.records.QueueACL) QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager) Event(org.apache.hadoop.yarn.event.Event) RMAppEvent(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) Test(org.junit.Test)

Example 3 with QueueACLsManager

use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.

the class TestClientRMService method testMoveApplicationAdminTargetQueue.

@Test
public void testMoveApplicationAdminTargetQueue() throws Exception {
    ApplicationId applicationId = getApplicationId(1);
    UserGroupInformation aclUGI = UserGroupInformation.getCurrentUser();
    QueueACLsManager queueAclsManager = getQueueAclManager("allowed_queue", QueueACL.ADMINISTER_QUEUE, aclUGI);
    ApplicationACLsManager appAclsManager = getAppAclManager();
    ClientRMService rmService = createClientRMServiceForMoveApplicationRequest(applicationId, aclUGI.getShortUserName(), appAclsManager, queueAclsManager);
    // user is admin move to queue in acl
    MoveApplicationAcrossQueuesRequest moveAppRequest = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "allowed_queue");
    rmService.moveApplicationAcrossQueues(moveAppRequest);
    // user is admin move to queue not in acl
    moveAppRequest = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "not_allowed");
    try {
        rmService.moveApplicationAcrossQueues(moveAppRequest);
        Assert.fail("The request should fail with an AccessControlException");
    } catch (YarnException rex) {
        Assert.assertTrue("AccessControlException is expected", rex.getCause() instanceof AccessControlException);
    }
    // ACL is owned by "moveuser", move is performed as a different user
    aclUGI = UserGroupInformation.createUserForTesting("moveuser", new String[] {});
    queueAclsManager = getQueueAclManager("move_queue", QueueACL.ADMINISTER_QUEUE, aclUGI);
    appAclsManager = getAppAclManager();
    ClientRMService rmService2 = createClientRMServiceForMoveApplicationRequest(applicationId, aclUGI.getShortUserName(), appAclsManager, queueAclsManager);
    // no access to this queue
    MoveApplicationAcrossQueuesRequest moveAppRequest2 = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "move_queue");
    try {
        rmService2.moveApplicationAcrossQueues(moveAppRequest2);
        Assert.fail("The request should fail with an AccessControlException");
    } catch (YarnException rex) {
        Assert.assertTrue("AccessControlException is expected", rex.getCause() instanceof AccessControlException);
    }
    // execute the move as the acl owner
    // access to the queue OK: user allowed in this queue
    aclUGI.doAs(new PrivilegedExceptionAction<Object>() {

        @Override
        public Object run() throws Exception {
            return rmService2.moveApplicationAcrossQueues(moveAppRequest2);
        }
    });
}
Also used : AccessControlException(java.security.AccessControlException) Matchers.anyString(org.mockito.Matchers.anyString) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) ApplicationNotFoundException(org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException) IOException(java.io.IOException) BrokenBarrierException(java.util.concurrent.BrokenBarrierException) AccessControlException(java.security.AccessControlException) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager) MoveApplicationAcrossQueuesRequest(org.apache.hadoop.yarn.api.protocolrecords.MoveApplicationAcrossQueuesRequest) QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 4 with QueueACLsManager

use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.

the class TestClientRMService method getQueueAclManager.

/**
   * QueueACLsManager that always returns false when a target queue is passed
   * in and true for other checks to simulate a missing queue.
   * @return QueueACLsManager
   */
private QueueACLsManager getQueueAclManager() {
    QueueACLsManager queueACLsManager = mock(QueueACLsManager.class);
    when(queueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), anyListOf(String.class), any(String.class))).thenReturn(false);
    when(queueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), anyListOf(String.class))).thenReturn(true);
    return queueACLsManager;
}
Also used : RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp) QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager) QueueACL(org.apache.hadoop.yarn.api.records.QueueACL) Matchers.anyString(org.mockito.Matchers.anyString) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 5 with QueueACLsManager

use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.

the class TestClientRMService method createRMService.

public ClientRMService createRMService() throws IOException, YarnException {
    YarnScheduler yarnScheduler = mockYarnScheduler();
    RMContext rmContext = mock(RMContext.class);
    mockRMContext(yarnScheduler, rmContext);
    ConcurrentHashMap<ApplicationId, RMApp> apps = getRMApps(rmContext, yarnScheduler);
    when(rmContext.getRMApps()).thenReturn(apps);
    when(rmContext.getYarnConfiguration()).thenReturn(new Configuration());
    RMAppManager appManager = new RMAppManager(rmContext, yarnScheduler, null, mock(ApplicationACLsManager.class), new Configuration());
    when(rmContext.getDispatcher().getEventHandler()).thenReturn(new EventHandler<Event>() {

        public void handle(Event event) {
        }
    });
    ApplicationACLsManager mockAclsManager = mock(ApplicationACLsManager.class);
    QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
    when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenReturn(true);
    return new ClientRMService(rmContext, yarnScheduler, appManager, mockAclsManager, mockQueueACLsManager, null);
}
Also used : RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp) CapacitySchedulerConfiguration(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration) Configuration(org.apache.hadoop.conf.Configuration) YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration) QueueACL(org.apache.hadoop.yarn.api.records.QueueACL) Matchers.anyString(org.mockito.Matchers.anyString) ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager) YarnScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler) QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager) Event(org.apache.hadoop.yarn.event.Event) RMAppEvent(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10 QueueACLsManager (org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)10 Matchers.anyString (org.mockito.Matchers.anyString)8 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)7 ApplicationACLsManager (org.apache.hadoop.yarn.server.security.ApplicationACLsManager)7 QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)6 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)6 Test (org.junit.Test)6 Configuration (org.apache.hadoop.conf.Configuration)4 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)4 YarnScheduler (org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler)4 IOException (java.io.IOException)3 MoveApplicationAcrossQueuesRequest (org.apache.hadoop.yarn.api.protocolrecords.MoveApplicationAcrossQueuesRequest)3 Event (org.apache.hadoop.yarn.event.Event)3 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)3 RMStateStore (org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore)3 RMAppEvent (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent)3 CapacitySchedulerConfiguration (org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration)3 AccessControlException (java.security.AccessControlException)2 HashSet (java.util.HashSet)2