o...

sseth Wed, 29 Feb 2012 12:50:29 -0800

Author: sseth
Date: Wed Feb 29 20:50:02 2012
New Revision: 1295263

URL: http://svn.apache.org/viewvc?rev=1295263&view=rev
Log:
merge MAPREDUCE-3903 from trunk


Added:
    
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobAclsManager.java
      - copied unchanged from r1295262, 
hadoop/common/trunk/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapred/TestJobAclsManager.java
Modified:
    hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/CHANGES.txt
    
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
    
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
    
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
    
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm

Modified: 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/CHANGES.txt
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/CHANGES.txt?rev=1295263&r1=1295262&r2=1295263&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/CHANGES.txt 
(original)
+++ hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/CHANGES.txt Wed 
Feb 29 20:50:02 2012
@@ -146,6 +146,9 @@ Release 0.23.2 - UNRELEASED
     MAPREDUCE-3920. Revise yarn default port number selection 
     (Dave Thompson via tgraves)
 
+    MAPREDUCE-3903. Add support for mapreduce admin users. (Thomas Graves via
+    sseth)
+
 Release 0.23.1 - 2012-02-17
 
   NEW FEATURES

Modified: 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java?rev=1295263&r1=1295262&r2=1295263&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/JobACLsManager.java
 Wed Feb 29 20:50:02 2012
@@ -20,6 +20,8 @@ package org.apache.hadoop.mapred;
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.mapreduce.JobACL;
@@ -31,9 +33,12 @@ import org.apache.hadoop.security.author
 @InterfaceAudience.Private
 public class JobACLsManager {
 
+  static final Log LOG = LogFactory.getLog(JobACLsManager.class);
   Configuration conf;
+  private final AccessControlList adminAcl;
 
   public JobACLsManager(Configuration conf) {
+    adminAcl = new AccessControlList(conf.get(MRConfig.MR_ADMINS, " "));
     this.conf = conf;
   }
 
@@ -72,6 +77,18 @@ public class JobACLsManager {
   }
 
   /**
+    * Is the calling user an admin for the mapreduce cluster
+    * i.e. member of mapreduce.cluster.administrators
+    * @return true, if user is an admin
+    */
+   boolean isMRAdmin(UserGroupInformation callerUGI) {
+     if (adminAcl.isUserAllowed(callerUGI)) {
+       return true;
+     }
+     return false;
+   }
+
+  /**
    * If authorization is enabled, checks whether the user (in the callerUGI)
    * is authorized to perform the operation specified by 'jobOperation' on
    * the job by checking if the user is jobOwner or part of job ACL for the
@@ -89,13 +106,18 @@ public class JobACLsManager {
   public boolean checkAccess(UserGroupInformation callerUGI,
       JobACL jobOperation, String jobOwner, AccessControlList jobACL) {
 
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("checkAccess job acls, jobOwner: " + jobOwner + " jobacl: "
+          + jobOperation.toString() + " user: " + 
callerUGI.getShortUserName());
+    }
     String user = callerUGI.getShortUserName();
     if (!areACLsEnabled()) {
       return true;
     }
 
     // Allow Job-owner for any operation on the job
-    if (user.equals(jobOwner)
+    if (isMRAdmin(callerUGI)
+        || user.equals(jobOwner)
         || jobACL.isUserAllowed(callerUGI)) {
       return true;
     }

Modified: 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java?rev=1295263&r1=1295262&r2=1295263&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-hs/src/main/java/org/apache/hadoop/mapreduce/v2/hs/HistoryClientService.java
 Wed Feb 29 20:50:02 2012
@@ -192,7 +192,6 @@ public class HistoryClientService extend
         throw RPCUtil.getRemoteException("Unknown job " + jobID);
       }
       JobACL operation = JobACL.VIEW_JOB;
-      //TODO disable check access for now.
       checkAccess(job, operation);
       return job;
     }
@@ -324,9 +323,7 @@ public class HistoryClientService extend
 
     private void checkAccess(Job job, JobACL jobOperation)
         throws YarnRemoteException {
-      if (!UserGroupInformation.isSecurityEnabled()) {
-        return;
-      }
+
       UserGroupInformation callerUGI;
       try {
         callerUGI = UserGroupInformation.getCurrentUser();

Modified: 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java?rev=1295263&r1=1295262&r2=1295263&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
 Wed Feb 29 20:50:02 2012
@@ -140,7 +140,7 @@ public class YarnConfiguration extends C
   /** Are acls enabled.*/
   public static final String YARN_ACL_ENABLE = 
     YARN_PREFIX + "acl.enable";
-  public static final boolean DEFAULT_YARN_ACL_ENABLE = true;
+  public static final boolean DEFAULT_YARN_ACL_ENABLE = false;
   
   /** ACL of who can be admin of YARN cluster.*/
   public static final String YARN_ADMIN_ACL = 

Modified: 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm
URL: 
http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm?rev=1295263&r1=1295262&r2=1295263&view=diff
==============================================================================
--- 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm
 (original)
+++ 
hadoop/common/branches/branch-0.23/hadoop-mapreduce-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/ClusterSetup.apt.vm
 Wed Feb 29 20:50:02 2012
@@ -185,7 +185,7 @@ Hadoop MapReduce Next Generation - Clust
 *-------------------------+-------------------------+------------------------+
 | <<<yarn.acl.enable>>> | | |
 | | <<<true>>> / <<<false>>> | |
-| | | Enable ACLs? Defaults to <true>. |
+| | | Enable ACLs? Defaults to <false>. |
 *-------------------------+-------------------------+------------------------+
 | <<<yarn.admin.acl>>> | | |
 | | Admin ACL | |

svn commit: r1295263 - in /hadoop/common/branches/branch-0.23/hadoop-mapreduce-project: ./ hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/ hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/o...

Reply via email to