YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl. Contributed by Varun Saxena
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a826d432 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a826d432 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a826d432 Branch: refs/heads/HDFS-7240 Commit: a826d432f9b45550cc5ab79ef63ca39b176dabb2 Parents: 2de586f Author: Xuan <[email protected]> Authored: Wed Jun 17 16:23:27 2015 -0700 Committer: Xuan <[email protected]> Committed: Wed Jun 17 16:23:27 2015 -0700 ---------------------------------------------------------------------- hadoop-yarn-project/CHANGES.txt | 3 ++ .../server/resourcemanager/AdminService.java | 19 +++++--- .../resourcemanager/TestRMAdminService.java | 49 +++++++++++++++++++- 3 files changed, 63 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a826d432/hadoop-yarn-project/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index afe76bd..243edb3 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -681,6 +681,9 @@ Release 2.7.1 - UNRELEASED YARN-3764. CapacityScheduler should forbid moving LeafQueue from one parent to another. (Wangda Tan via jianhe) + YARN-3804. Both RM are on standBy state when kerberos user not in yarn.admin.acl + (Varun Saxena via xgong) + Release 2.7.0 - 2015-04-20 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/a826d432/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java index 1ee8b3b..e5bb6e5 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java @@ -112,6 +112,8 @@ public class AdminService extends CompositeService implements private final RecordFactory recordFactory = RecordFactoryProvider.getRecordFactory(null); + private UserGroupInformation daemonUser; + @VisibleForTesting boolean isDistributedNodeLabelConfiguration = false; @@ -138,10 +140,9 @@ public class AdminService extends CompositeService implements YarnConfiguration.RM_ADMIN_ADDRESS, YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS, YarnConfiguration.DEFAULT_RM_ADMIN_PORT); + daemonUser = UserGroupInformation.getCurrentUser(); authorizer = YarnAuthorizationProvider.getInstance(conf); - authorizer.setAdmins(new AccessControlList(conf.get( - YarnConfiguration.YARN_ADMIN_ACL, - YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation + authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation .getCurrentUser()); rmId = conf.get(YarnConfiguration.RM_HA_ID); @@ -151,6 +152,14 @@ public class AdminService extends CompositeService implements super.serviceInit(conf); } + private AccessControlList getAdminAclList(Configuration conf) { + AccessControlList aclList = new AccessControlList(conf.get( + YarnConfiguration.YARN_ADMIN_ACL, + YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)); + aclList.addUser(daemonUser.getShortUserName()); + return aclList; + } + @Override protected void serviceStart() throws Exception { startServer(); @@ -470,9 +479,7 @@ public class AdminService extends CompositeService implements Configuration conf = getConfiguration(new Configuration(false), YarnConfiguration.YARN_SITE_CONFIGURATION_FILE); - authorizer.setAdmins(new AccessControlList(conf.get( - YarnConfiguration.YARN_ADMIN_ACL, - YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)), UserGroupInformation + authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation .getCurrentUser()); RMAuditLogger.logSuccess(user.getShortUserName(), argName, "AdminService"); http://git-wip-us.apache.org/repos/asf/hadoop/blob/a826d432/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java index fe0b8a8..0a05c91 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMAdminService.java @@ -38,12 +38,14 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.ha.HAServiceProtocol; import org.apache.hadoop.ha.HAServiceProtocol.HAServiceState; import org.apache.hadoop.ha.HAServiceProtocol.StateChangeRequestInfo; +import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.GroupMappingServiceProvider; import org.apache.hadoop.security.Groups; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.authorize.ServiceAuthorizationManager; +import org.apache.hadoop.yarn.LocalConfigurationProvider; import org.apache.hadoop.yarn.api.records.DecommissionType; import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.conf.HAUtil; @@ -208,7 +210,8 @@ public class TestRMAdminService { rm.adminService.getAccessControlList().getAclString().trim(); Assert.assertTrue(!aclStringAfter.equals(aclStringBefore)); - Assert.assertEquals(aclStringAfter, "world:anyone:rwcda"); + Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," + + UserGroupInformation.getCurrentUser().getShortUserName()); } @Test @@ -695,7 +698,8 @@ public class TestRMAdminService { String aclStringAfter = resourceManager.adminService.getAccessControlList() .getAclString().trim(); - Assert.assertEquals(aclStringAfter, "world:anyone:rwcda"); + Assert.assertEquals(aclStringAfter, "world:anyone:rwcda," + + UserGroupInformation.getCurrentUser().getShortUserName()); // validate values for queue configuration CapacityScheduler cs = @@ -761,6 +765,47 @@ public class TestRMAdminService { } } + /* For verifying fix for YARN-3804 */ + @Test + public void testRefreshAclWithDaemonUser() throws Exception { + String daemonUser = + UserGroupInformation.getCurrentUser().getShortUserName(); + configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS, + "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider"); + + uploadDefaultConfiguration(); + YarnConfiguration yarnConf = new YarnConfiguration(); + yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "xyz"); + uploadConfiguration(yarnConf, "yarn-site.xml"); + + try { + rm = new MockRM(configuration); + rm.init(configuration); + rm.start(); + } catch(Exception ex) { + fail("Should not get any exceptions"); + } + + assertEquals(daemonUser + "xyz," + daemonUser, + rm.adminService.getAccessControlList().getAclString().trim()); + + yarnConf = new YarnConfiguration(); + yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, daemonUser + "abc"); + uploadConfiguration(yarnConf, "yarn-site.xml"); + try { + rm.adminService.refreshAdminAcls(RefreshAdminAclsRequest.newInstance()); + } catch (YarnException e) { + if (e.getCause() != null && + e.getCause() instanceof AccessControlException) { + fail("Refresh should not have failed due to incorrect ACL"); + } + throw e; + } + + assertEquals(daemonUser + "abc," + daemonUser, + rm.adminService.getAccessControlList().getAclString().trim()); + } + @Test public void testModifyLabelsOnNodesWithDistributedConfigurationDisabled() throws IOException, YarnException {
