Repository: falcon Updated Branches: refs/heads/master aba79aae2 -> a36946101
FALCON-1916 Allow RM principal to be specified in Cluster entity When we have clusters setup with individual security domains with cross realm trusts, the RM principal needs to be specified explicitly to disambiguate the realm of the resource manager of the corresponding cluster entities. This patch allows RM principal to be set and processed from the cluster properties Author: Venkat Ranganathan <[email protected]> Reviewers: "Venkatesan Ramachandran <[email protected]>" Closes #111 from vrangan/master Project: http://git-wip-us.apache.org/repos/asf/falcon/repo Commit: http://git-wip-us.apache.org/repos/asf/falcon/commit/a3694610 Tree: http://git-wip-us.apache.org/repos/asf/falcon/tree/a3694610 Diff: http://git-wip-us.apache.org/repos/asf/falcon/diff/a3694610 Branch: refs/heads/master Commit: a369461011bc41805f9b0736a2748366794cd8af Parents: aba79aa Author: Venkat Ranganathan <[email protected]> Authored: Thu Apr 21 16:50:44 2016 -0700 Committer: bvellanki <[email protected]> Committed: Thu Apr 21 16:50:44 2016 -0700 ---------------------------------------------------------------------- .../falcon/entity/parser/ClusterEntityParser.java | 3 ++- .../org/apache/falcon/hadoop/HadoopClientFactory.java | 13 +++++++++++-- .../java/org/apache/falcon/security/SecurityUtil.java | 7 +++++++ 3 files changed, 20 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/falcon/blob/a3694610/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java b/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java index 87db536..c3bdf3b 100644 --- a/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java +++ b/common/src/main/java/org/apache/falcon/entity/parser/ClusterEntityParser.java @@ -151,7 +151,8 @@ public class ClusterEntityParser extends EntityParser<Cluster> { LOG.info("Validating execute interface: {}", executeUrl); try { - HadoopClientFactory.get().validateJobClient(executeUrl); + String rmPrincipal = ClusterHelper.getPropertyValue(cluster, SecurityUtil.RM_PRINCIPAL); + HadoopClientFactory.get().validateJobClient(executeUrl, rmPrincipal); } catch (IOException e) { throw new ValidationException("Invalid Execute server or port: " + executeUrl, e); } http://git-wip-us.apache.org/repos/asf/falcon/blob/a3694610/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java b/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java index 3d6b16b..d70c4b9 100644 --- a/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java +++ b/common/src/main/java/org/apache/falcon/hadoop/HadoopClientFactory.java @@ -19,6 +19,7 @@ package org.apache.falcon.hadoop; import org.apache.commons.lang.Validate; +import org.apache.commons.lang3.StringUtils; import org.apache.falcon.FalconException; import org.apache.falcon.security.CurrentUser; import org.apache.falcon.security.SecurityUtil; @@ -277,11 +278,19 @@ public final class HadoopClientFactory { * @param executeUrl jt url or RM url * @throws IOException */ - public void validateJobClient(String executeUrl) throws IOException { + public void validateJobClient(String executeUrl, String rmPrincipal) throws IOException { final JobConf jobConf = new JobConf(); jobConf.set(MR_JT_ADDRESS_KEY, executeUrl); jobConf.set(YARN_RM_ADDRESS_KEY, executeUrl); - + /** + * It is possible that the RM/JT principal can be different between clusters, + * for example, the cluster is using a different KDC with cross-domain trust + * with the Falcon KDC. in that case, we want to allow the user to provide + * the RM principal similar to NN principal. + */ + if (UserGroupInformation.isSecurityEnabled() && StringUtils.isNotEmpty(rmPrincipal)) { + jobConf.set(SecurityUtil.RM_PRINCIPAL, rmPrincipal); + } UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); try { JobClient jobClient = loginUser.doAs(new PrivilegedExceptionAction<JobClient>() { http://git-wip-us.apache.org/repos/asf/falcon/blob/a3694610/common/src/main/java/org/apache/falcon/security/SecurityUtil.java ---------------------------------------------------------------------- diff --git a/common/src/main/java/org/apache/falcon/security/SecurityUtil.java b/common/src/main/java/org/apache/falcon/security/SecurityUtil.java index c187358..fe04c40 100644 --- a/common/src/main/java/org/apache/falcon/security/SecurityUtil.java +++ b/common/src/main/java/org/apache/falcon/security/SecurityUtil.java @@ -53,6 +53,13 @@ public final class SecurityUtil { public static final String NN_PRINCIPAL = "dfs.namenode.kerberos.principal"; /** + * Constant for the configuration property that indicates the + * Resource Manager principal. This is useful when the remote cluster realm + * (with cross domain trust) or the auth to local rule definition results in a + * different RM principal than in Falcon server cluster. + */ + public static final String RM_PRINCIPAL = "yarn.resourcemanager.principal"; + /** * Constant for the configuration property that indicates the Name node principal. * This is used to talk to Hive Meta Store during parsing and validations only. */
