Example 6 with QueueACLsManager
use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.
the class TestClientRMService method testAppSubmit.
@Test(timeout = 30000)
@SuppressWarnings("rawtypes")
public void testAppSubmit() throws Exception {
YarnScheduler yarnScheduler = mockYarnScheduler();
RMContext rmContext = mock(RMContext.class);
mockRMContext(yarnScheduler, rmContext);
RMStateStore stateStore = mock(RMStateStore.class);
when(rmContext.getStateStore()).thenReturn(stateStore);
RMAppManager appManager = new RMAppManager(rmContext, yarnScheduler, null, mock(ApplicationACLsManager.class), new Configuration());
when(rmContext.getDispatcher().getEventHandler()).thenReturn(new EventHandler<Event>() {
public void handle(Event event) {
}
});
doReturn(mock(RMTimelineCollectorManager.class)).when(rmContext).getRMTimelineCollectorManager();
ApplicationId appId1 = getApplicationId(100);
ApplicationACLsManager mockAclsManager = mock(ApplicationACLsManager.class);
when(mockAclsManager.checkAccess(UserGroupInformation.getCurrentUser(), ApplicationAccessType.VIEW_APP, null, appId1)).thenReturn(true);
QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenReturn(true);
ClientRMService rmService = new ClientRMService(rmContext, yarnScheduler, appManager, mockAclsManager, mockQueueACLsManager, null);
rmService.init(new Configuration());
// without name and queue
SubmitApplicationRequest submitRequest1 = mockSubmitAppRequest(appId1, null, null);
try {
rmService.submitApplication(submitRequest1);
} catch (YarnException e) {
Assert.fail("Exception is not expected.");
}
RMApp app1 = rmContext.getRMApps().get(appId1);
Assert.assertNotNull("app doesn't exist", app1);
Assert.assertEquals("app name doesn't match", YarnConfiguration.DEFAULT_APPLICATION_NAME, app1.getName());
Assert.assertEquals("app queue doesn't match", YarnConfiguration.DEFAULT_QUEUE_NAME, app1.getQueue());
// with name and queue
String name = MockApps.newAppName();
String queue = MockApps.newQueue();
ApplicationId appId2 = getApplicationId(101);
SubmitApplicationRequest submitRequest2 = mockSubmitAppRequest(appId2, name, queue);
submitRequest2.getApplicationSubmissionContext().setApplicationType("matchType");
try {
rmService.submitApplication(submitRequest2);
} catch (YarnException e) {
Assert.fail("Exception is not expected.");
}
RMApp app2 = rmContext.getRMApps().get(appId2);
Assert.assertNotNull("app doesn't exist", app2);
Assert.assertEquals("app name doesn't match", name, app2.getName());
Assert.assertEquals("app queue doesn't match", queue, app2.getQueue());
// duplicate appId
try {
rmService.submitApplication(submitRequest2);
} catch (YarnException e) {
Assert.fail("Exception is not expected.");
}
GetApplicationsRequest getAllAppsRequest = GetApplicationsRequest.newInstance(new HashSet<String>());
GetApplicationsResponse getAllApplicationsResponse = rmService.getApplications(getAllAppsRequest);
Assert.assertEquals(5, getAllApplicationsResponse.getApplicationList().size());
Set<String> appTypes = new HashSet<String>();
appTypes.add("matchType");
getAllAppsRequest = GetApplicationsRequest.newInstance(appTypes);
getAllApplicationsResponse = rmService.getApplications(getAllAppsRequest);
Assert.assertEquals(1, getAllApplicationsResponse.getApplicationList().size());
Assert.assertEquals(appId2, getAllApplicationsResponse.getApplicationList().get(0).getApplicationId());
}
Also used :
RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)
RMStateStore(org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore)
CapacitySchedulerConfiguration(org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
QueueACL(org.apache.hadoop.yarn.api.records.QueueACL)
Matchers.anyString(org.mockito.Matchers.anyString)
SubmitApplicationRequest(org.apache.hadoop.yarn.api.protocolrecords.SubmitApplicationRequest)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
GetApplicationsRequest(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest)
ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager)
RMTimelineCollectorManager(org.apache.hadoop.yarn.server.resourcemanager.timelineservice.RMTimelineCollectorManager)
YarnScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler)
GetApplicationsResponse(org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsResponse)
QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)
Event(org.apache.hadoop.yarn.event.Event)
RMAppEvent(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
HashSet(java.util.HashSet)
Test(org.junit.Test)
Example 7 with QueueACLsManager
use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.
the class TestApplicationACLs method setup.
@BeforeClass
public static void setup() throws InterruptedException, IOException {
RMStateStore store = RMStateStoreFactory.getStore(conf);
conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
AccessControlList adminACL = new AccessControlList("");
adminACL.addGroup(SUPER_GROUP);
conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());
resourceManager = new MockRM(conf) {
@Override
protected QueueACLsManager createQueueACLsManager(ResourceScheduler scheduler, Configuration conf) {
QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), any())).thenAnswer(new Answer() {
public Object answer(InvocationOnMock invocation) {
return isQueueUser;
}
});
return mockQueueACLsManager;
}
protected ClientRMService createClientRMService() {
return new ClientRMService(getRMContext(), this.scheduler, this.rmAppManager, this.applicationACLsManager, this.queueACLsManager, null);
}
;
};
new Thread() {
public void run() {
UserGroupInformation.createUserForTesting(ENEMY, new String[] {});
UserGroupInformation.createUserForTesting(FRIEND, new String[] { FRIENDLY_GROUP });
UserGroupInformation.createUserForTesting(SUPER_USER, new String[] { SUPER_GROUP });
resourceManager.start();
}
;
}.start();
int waitCount = 0;
while (resourceManager.getServiceState() == STATE.INITED && waitCount++ < 60) {
LOG.info("Waiting for RM to start...");
Thread.sleep(1500);
}
if (resourceManager.getServiceState() != STATE.STARTED) {
// RM could have failed.
throw new IOException("ResourceManager failed to start. Final state is " + resourceManager.getServiceState());
}
UserGroupInformation owner = UserGroupInformation.createRemoteUser(APP_OWNER);
rmClient = owner.doAs(new PrivilegedExceptionAction<ApplicationClientProtocol>() {
@Override
public ApplicationClientProtocol run() throws Exception {
return (ApplicationClientProtocol) rpc.getProxy(ApplicationClientProtocol.class, rmAddress, conf);
}
});
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
RMStateStore(org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
IOException(java.io.IOException)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
ApplicationClientProtocol(org.apache.hadoop.yarn.api.ApplicationClientProtocol)
Answer(org.mockito.stubbing.Answer)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)
ResourceScheduler(org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
BeforeClass(org.junit.BeforeClass)
Example 8 with QueueACLsManager
use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.
the class TestClientRMService method testMoveApplicationSubmitTargetQueue.
@Test
public void testMoveApplicationSubmitTargetQueue() throws Exception {
// move the application as the owner
ApplicationId applicationId = getApplicationId(1);
UserGroupInformation aclUGI = UserGroupInformation.getCurrentUser();
QueueACLsManager queueACLsManager = getQueueAclManager("allowed_queue", QueueACL.SUBMIT_APPLICATIONS, aclUGI);
ApplicationACLsManager appAclsManager = getAppAclManager();
ClientRMService rmService = createClientRMServiceForMoveApplicationRequest(applicationId, aclUGI.getShortUserName(), appAclsManager, queueACLsManager);
// move as the owner queue in the acl
MoveApplicationAcrossQueuesRequest moveAppRequest = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "allowed_queue");
rmService.moveApplicationAcrossQueues(moveAppRequest);
// move as the owner queue not in the acl
moveAppRequest = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "not_allowed");
try {
rmService.moveApplicationAcrossQueues(moveAppRequest);
Assert.fail("The request should fail with an AccessControlException");
} catch (YarnException rex) {
Assert.assertTrue("AccessControlException is expected", rex.getCause() instanceof AccessControlException);
}
// ACL is owned by "moveuser", move is performed as a different user
aclUGI = UserGroupInformation.createUserForTesting("moveuser", new String[] {});
queueACLsManager = getQueueAclManager("move_queue", QueueACL.SUBMIT_APPLICATIONS, aclUGI);
appAclsManager = getAppAclManager();
ClientRMService rmService2 = createClientRMServiceForMoveApplicationRequest(applicationId, aclUGI.getShortUserName(), appAclsManager, queueACLsManager);
// access to the queue not OK: user not allowed in this queue
MoveApplicationAcrossQueuesRequest moveAppRequest2 = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "move_queue");
try {
rmService2.moveApplicationAcrossQueues(moveAppRequest2);
Assert.fail("The request should fail with an AccessControlException");
} catch (YarnException rex) {
Assert.assertTrue("AccessControlException is expected", rex.getCause() instanceof AccessControlException);
}
// execute the move as the acl owner
// access to the queue OK: user allowed in this queue
aclUGI.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
return rmService2.moveApplicationAcrossQueues(moveAppRequest2);
}
});
}
Also used :
AccessControlException(java.security.AccessControlException)
Matchers.anyString(org.mockito.Matchers.anyString)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
ApplicationNotFoundException(org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException)
IOException(java.io.IOException)
BrokenBarrierException(java.util.concurrent.BrokenBarrierException)
AccessControlException(java.security.AccessControlException)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager)
MoveApplicationAcrossQueuesRequest(org.apache.hadoop.yarn.api.protocolrecords.MoveApplicationAcrossQueuesRequest)
QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 9 with QueueACLsManager
use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.
the class TestClientRMService method testNonExistingQueue.
@Test(expected = YarnException.class)
public void testNonExistingQueue() throws Exception {
ApplicationId applicationId = getApplicationId(1);
UserGroupInformation aclUGI = UserGroupInformation.getCurrentUser();
QueueACLsManager queueAclsManager = getQueueAclManager();
ApplicationACLsManager appAclsManager = getAppAclManager();
ClientRMService rmService = createClientRMServiceForMoveApplicationRequest(applicationId, aclUGI.getShortUserName(), appAclsManager, queueAclsManager);
MoveApplicationAcrossQueuesRequest moveAppRequest = MoveApplicationAcrossQueuesRequest.newInstance(applicationId, "unknown_queue");
rmService.moveApplicationAcrossQueues(moveAppRequest);
}
Also used :
ApplicationACLsManager(org.apache.hadoop.yarn.server.security.ApplicationACLsManager)
MoveApplicationAcrossQueuesRequest(org.apache.hadoop.yarn.api.protocolrecords.MoveApplicationAcrossQueuesRequest)
QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 10 with QueueACLsManager
use of org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager in project hadoop by apache.
the class TestClientRMService method getQueueAclManager.
/**
* Generate the Queue acl.
* @param allowedQueue the queue to allow the move to
* @param queueACL the acl to check: submit app or queue admin
* @param aclUser the user to check
* @return QueueACLsManager
*/
private QueueACLsManager getQueueAclManager(String allowedQueue, QueueACL queueACL, UserGroupInformation aclUser) throws IOException {
// ACL that checks the queue is allowed
QueueACLsManager queueACLsManager = mock(QueueACLsManager.class);
when(queueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), anyListOf(String.class))).thenAnswer(new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocationOnMock) {
final UserGroupInformation user = (UserGroupInformation) invocationOnMock.getArguments()[0];
final QueueACL acl = (QueueACL) invocationOnMock.getArguments()[1];
return (queueACL.equals(acl) && aclUser.getShortUserName().equals(user.getShortUserName()));
}
});
when(queueACLsManager.checkAccess(any(UserGroupInformation.class), any(QueueACL.class), any(RMApp.class), any(String.class), anyListOf(String.class), any(String.class))).thenAnswer(new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocationOnMock) {
final UserGroupInformation user = (UserGroupInformation) invocationOnMock.getArguments()[0];
final QueueACL acl = (QueueACL) invocationOnMock.getArguments()[1];
final String queue = (String) invocationOnMock.getArguments()[5];
return (allowedQueue.equals(queue) && queueACL.equals(acl) && aclUser.getShortUserName().equals(user.getShortUserName()));
}
});
return queueACLsManager;
}
Also used :
RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
QueueACLsManager(org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)
QueueACL(org.apache.hadoop.yarn.api.records.QueueACL)
Matchers.anyString(org.mockito.Matchers.anyString)
Matchers.anyBoolean(org.mockito.Matchers.anyBoolean)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Aggregations
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
QueueACLsManager (org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager)10
Matchers.anyString (org.mockito.Matchers.anyString)8
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)7
ApplicationACLsManager (org.apache.hadoop.yarn.server.security.ApplicationACLsManager)7
QueueACL (org.apache.hadoop.yarn.api.records.QueueACL)6
RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)6
Test (org.junit.Test)6
Configuration (org.apache.hadoop.conf.Configuration)4
YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)4
YarnScheduler (org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler)4
IOException (java.io.IOException)3
MoveApplicationAcrossQueuesRequest (org.apache.hadoop.yarn.api.protocolrecords.MoveApplicationAcrossQueuesRequest)3
Event (org.apache.hadoop.yarn.event.Event)3
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)3
RMStateStore (org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore)3
RMAppEvent (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent)3
CapacitySchedulerConfiguration (org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacitySchedulerConfiguration)3
AccessControlException (java.security.AccessControlException)2
HashSet (java.util.HashSet)2
