Java Code Examples for org.apache.hadoop.security.UserGroupInformation#isSecurityEnabled()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#isSecurityEnabled() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TestRMAppAttemptTransitions.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * {@link RMAppAttemptState#SUBMITTED}
 */
private void testAppAttemptSubmittedState() {
  assertEquals(RMAppAttemptState.SUBMITTED, 
      applicationAttempt.getAppAttemptState());
  assertEquals(0, applicationAttempt.getDiagnostics().length());
  assertEquals(0,applicationAttempt.getJustFinishedContainers().size());
  assertNull(applicationAttempt.getMasterContainer());
  assertEquals(0.0, (double)applicationAttempt.getProgress(), 0.0001);
  assertEquals(0, application.getRanNodes().size());
  assertNull(applicationAttempt.getFinalApplicationStatus());
  if (UserGroupInformation.isSecurityEnabled()) {
    verify(clientToAMTokenManager).createMasterKey(
        applicationAttempt.getAppAttemptId());
    // can't create ClientToken as at this time ClientTokenMasterKey has
    // not been registered in the SecretManager
    assertNull(applicationAttempt.createClientToken("some client"));
  }
  assertNull(applicationAttempt.createClientToken(null));
  // Check events
  verify(masterService).
      registerAppAttempt(applicationAttempt.getAppAttemptId());
  verify(scheduler).handle(any(AppAttemptAddedSchedulerEvent.class));
}
 
Example 2
Source File: SecureExecutor.java    From attic-apex-core with Apache License 2.0 6 votes vote down vote up
public static <T> T execute(final SecureExecutor.WorkLoad<T> workLoad) throws IOException
{
  if (UserGroupInformation.isSecurityEnabled()) {
    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    return loginUser.doAs(new PrivilegedAction<T>()
    {
      @Override
      public T run()
      {
        return workLoad.run();
      }
    });
  } else {
    return workLoad.run();
  }
}
 
Example 3
Source File: DefaultLoginUgiProvider.java    From datacollector with Apache License 2.0 6 votes vote down vote up
@Override
public UserGroupInformation getLoginUgi(Configuration hdfsConfiguration) throws IOException {
  AccessControlContext accessContext = AccessController.getContext();
  Subject subject = Subject.getSubject(accessContext);
  UserGroupInformation loginUgi;
  //HADOOP-13805
  HadoopConfigurationUtils.configureHadoopTreatSubjectExternal(hdfsConfiguration);
  UserGroupInformation.setConfiguration(hdfsConfiguration);
  if (UserGroupInformation.isSecurityEnabled()) {
    loginUgi = UserGroupInformation.getUGIFromSubject(subject);
  } else {
    UserGroupInformation.loginUserFromSubject(subject);
    loginUgi = UserGroupInformation.getLoginUser();
  }
  if (LOG.isDebugEnabled()) {
    LOG.debug(
        "Subject = {}, Principals = {}, Login UGI = {}",
        subject,
        subject == null ? "null" : subject.getPrincipals(),
        loginUgi
    );
  }
  return loginUgi;
}
 
Example 4
Source File: HttpServer2.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Add an internal servlet in the server, specifying whether or not to
 * protect with Kerberos authentication.
 * Note: This method is to be used for adding servlets that facilitate
 * internal communication and not for user facing functionality. For
 +   * servlets added using this method, filters (except internal Kerberos
 * filters) are not enabled.
 *
 * @param name The name of the servlet (can be passed as null)
 * @param pathSpec The path spec for the servlet
 * @param clazz The servlet class
 * @param requireAuth Require Kerberos authenticate to access servlet
 */
public void addInternalServlet(String name, String pathSpec,
    Class<? extends HttpServlet> clazz, boolean requireAuth) {
  ServletHolder holder = new ServletHolder(clazz);
  if (name != null) {
    holder.setName(name);
  }
  webAppContext.addServlet(holder, pathSpec);

  if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
     LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
     ServletHandler handler = webAppContext.getServletHandler();
     FilterMapping fmap = new FilterMapping();
     fmap.setPathSpec(pathSpec);
     fmap.setFilterName(SPNEGO_FILTER);
     fmap.setDispatches(Handler.ALL);
     handler.addFilterMapping(fmap);
  }
}
 
Example 5
Source File: TimelineReaderFactory.java    From tez with Apache License 2.0 5 votes vote down vote up
/**
 * Check if timeline client can be supported.
 *
 * @return boolean value indicating if timeline client to read data is supported.
 */
public static boolean isTimelineClientSupported() {
  // support to read data from timeline is based on the version of hadoop.
  // reads are supported for non-secure cluster from hadoop 2.4 and up.
  // reads are supported for secure cluster only from hadoop 2.6. check the presence of the classes
  // required upfront if security is enabled.
  return !UserGroupInformation.isSecurityEnabled() || tokenDelegationSupported();
}
 
Example 6
Source File: LinuxContainerExecutor.java    From hadoop with Apache License 2.0 5 votes vote down vote up
void verifyUsernamePattern(String user) {
  if (!UserGroupInformation.isSecurityEnabled() &&
      !nonsecureLocalUserPattern.matcher(user).matches()) {
    throw new IllegalArgumentException("Invalid user name '" + user + "'," +
        " it must match '" + nonsecureLocalUserPattern.pattern() + "'");
  }
}
 
Example 7
Source File: LaunchContainerRunnable.java    From Bats with Apache License 2.0 5 votes vote down vote up
public static ByteBuffer getTokens(StramDelegationTokenManager delegationTokenManager, InetSocketAddress heartbeatAddress) throws IOException
{
  if (UserGroupInformation.isSecurityEnabled()) {
    UserGroupInformation ugi = UserGroupInformation.getLoginUser();
    StramDelegationTokenIdentifier identifier = new StramDelegationTokenIdentifier(new Text(ugi.getUserName()), new Text(""), new Text(""));
    String service = heartbeatAddress.getAddress().getHostAddress() + ":" + heartbeatAddress.getPort();
    Token<StramDelegationTokenIdentifier> stramToken = new Token<>(identifier, delegationTokenManager);
    stramToken.setService(new Text(service));
    return getTokens(ugi, stramToken);
  }
  return null;
}
 
Example 8
Source File: TestRMAppAttemptTransitions.java    From big-c with Apache License 2.0 5 votes vote down vote up
private void verifyTokenCount(ApplicationAttemptId appAttemptId, int count) {
  verify(amRMTokenManager, times(count)).applicationMasterFinished(appAttemptId);
  if (UserGroupInformation.isSecurityEnabled()) {
    verify(clientToAMTokenManager, times(count)).unRegisterApplication(appAttemptId);
    if (count > 0) {
      assertNull(applicationAttempt.createClientToken("client"));
    }
  }
}
 
Example 9
Source File: HadoopSecurity.java    From dr-elephant with Apache License 2.0 5 votes vote down vote up
private HadoopSecurity() throws IOException {
  Configuration conf = new Configuration();
  UserGroupInformation.setConfiguration(conf);
  _securityEnabled = UserGroupInformation.isSecurityEnabled();
  if (_securityEnabled) {
    logger.info("This cluster is Kerberos enabled.");
    boolean login = true;

    _keytabUser = System.getProperty("keytab.user");
    if (_keytabUser == null) {
      logger.error("Keytab user not set. Please set keytab_user in the configuration file");
      login = false;
    }

    _keytabLocation = System.getProperty("keytab.location");
    if (_keytabLocation == null) {
      logger.error("Keytab location not set. Please set keytab_location in the configuration file");
      login = false;
    } else if (!new File(_keytabLocation).exists()) {
      logger.error("The keytab file at location [" + _keytabLocation + "] does not exist.");
      login = false;
    }

    if (!login) {
      throw new IOException("Cannot login. This cluster is security enabled.");
    }

    checkLogin();
  }
}
 
Example 10
Source File: HttpServer2.java    From lucene-solr with Apache License 2.0 5 votes vote down vote up
/**
 * Add an internal servlet in the server, specifying whether or not to
 * protect with Kerberos authentication.
 * Note: This method is to be used for adding servlets that facilitate
 * internal communication and not for user facing functionality. For
 * servlets added using this method, filters (except internal Kerberos
 * filters) are not enabled.
 *
 * @param name The name of the servlet (can be passed as null)
 * @param pathSpec The path spec for the servlet
 * @param clazz The servlet class
 * @param requireAuth Require Kerberos authenticate to access servlet
 */
public void addInternalServlet(String name, String pathSpec,
                               Class<? extends HttpServlet> clazz, boolean requireAuth) {
  ServletHolder holder = new ServletHolder(clazz);
  if (name != null) {
    holder.setName(name);
  }
  // Jetty doesn't like the same path spec mapping to different servlets, so
  // if there's already a mapping for this pathSpec, remove it and assume that
  // the newest one is the one we want
  final ServletMapping[] servletMappings =
      webAppContext.getServletHandler().getServletMappings();
  for (int i = 0; i < servletMappings.length; i++) {
    if (servletMappings[i].containsPathSpec(pathSpec)) {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Found existing {} servlet at path {}; will replace mapping with {} servlet"
            , servletMappings[i].getServletName()
            , pathSpec
            , holder.getName());
      }
      ServletMapping[] newServletMappings =
          ArrayUtil.removeFromArray(servletMappings, servletMappings[i]);
      webAppContext.getServletHandler()
          .setServletMappings(newServletMappings);
      break;
    }
  }
  webAppContext.addServlet(holder, pathSpec);

  if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
    LOG.info("Adding Kerberos (SPNEGO) filter to {}", name);
    ServletHandler handler = webAppContext.getServletHandler();
    FilterMapping fmap = new FilterMapping();
    fmap.setPathSpec(pathSpec);
    fmap.setFilterName(SPNEGO_FILTER);
    fmap.setDispatches(FilterMapping.ALL);
    handler.addFilterMapping(fmap);
  }
}
 
Example 11
Source File: RMAppManager.java    From big-c with Apache License 2.0 5 votes vote down vote up
protected synchronized void finishApplication(ApplicationId applicationId) {
  if (applicationId == null) {
    LOG.error("RMAppManager received completed appId of null, skipping");
  } else {
    // Inform the DelegationTokenRenewer
    if (UserGroupInformation.isSecurityEnabled()) {
      rmContext.getDelegationTokenRenewer().applicationFinished(applicationId);
    }
    
    completedApps.add(applicationId);
    completedAppsInStateStore++;
    writeAuditLog(applicationId);
  }
}
 
Example 12
Source File: SpnegoConfig.java    From Bats with Apache License 2.0 5 votes vote down vote up
private UserGroupInformation loginAndReturnUgi() throws DrillException {

    validateSpnegoConfig();

    UserGroupInformation ugi;
    try {
      // Check if security is not enabled and try to set the security parameter to login the principal.
      // After the login is performed reset the static UGI state.
      if (!UserGroupInformation.isSecurityEnabled()) {
        final Configuration newConfig = new Configuration();
        newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
            UserGroupInformation.AuthenticationMethod.KERBEROS.toString());

        if (clientNameMapping != null) {
          newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL, clientNameMapping);
        }

        UserGroupInformation.setConfiguration(newConfig);
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);

        // Reset the original configuration for static UGI
        UserGroupInformation.setConfiguration(new Configuration());
      } else {
        // Let's not overwrite the rules here since it might be possible that CUSTOM security is configured for
        // JDBC/ODBC with default rules. If Kerberos was enabled then the correct rules must already be set
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
      }
    } catch (Exception e) {
      throw new DrillException(String.format("Login failed for %s with given keytab", principal), e);
    }
    return ugi;
  }
 
Example 13
Source File: Server.java    From big-c with Apache License 2.0 4 votes vote down vote up
/** 
 * Constructs a server listening on the named port and address.  Parameters passed must
 * be of the named class.  The <code>handlerCount</handlerCount> determines
 * the number of handler threads that will be used to process calls.
 * If queueSizePerHandler or numReaders are not -1 they will be used instead of parameters
 * from configuration. Otherwise the configuration will be picked up.
 * 
 * If rpcRequestClass is null then the rpcRequestClass must have been 
 * registered via {@link #registerProtocolEngine(RpcPayloadHeader.RpcKind,
 *  Class, RPC.RpcInvoker)}
 * This parameter has been retained for compatibility with existing tests
 * and usage.
 */
@SuppressWarnings("unchecked")
protected Server(String bindAddress, int port,
    Class<? extends Writable> rpcRequestClass, int handlerCount,
    int numReaders, int queueSizePerHandler, Configuration conf,
    String serverName, SecretManager<? extends TokenIdentifier> secretManager,
    String portRangeConfig)
  throws IOException {
  this.bindAddress = bindAddress;
  this.conf = conf;
  this.portRangeConfig = portRangeConfig;
  this.port = port;
  this.rpcRequestClass = rpcRequestClass; 
  this.handlerCount = handlerCount;
  this.socketSendBufferSize = 0;
  this.maxDataLength = conf.getInt(CommonConfigurationKeys.IPC_MAXIMUM_DATA_LENGTH,
      CommonConfigurationKeys.IPC_MAXIMUM_DATA_LENGTH_DEFAULT);
  if (queueSizePerHandler != -1) {
    this.maxQueueSize = queueSizePerHandler;
  } else {
    this.maxQueueSize = handlerCount * conf.getInt(
        CommonConfigurationKeys.IPC_SERVER_HANDLER_QUEUE_SIZE_KEY,
        CommonConfigurationKeys.IPC_SERVER_HANDLER_QUEUE_SIZE_DEFAULT);      
  }
  this.maxRespSize = conf.getInt(
      CommonConfigurationKeys.IPC_SERVER_RPC_MAX_RESPONSE_SIZE_KEY,
      CommonConfigurationKeys.IPC_SERVER_RPC_MAX_RESPONSE_SIZE_DEFAULT);
  if (numReaders != -1) {
    this.readThreads = numReaders;
  } else {
    this.readThreads = conf.getInt(
        CommonConfigurationKeys.IPC_SERVER_RPC_READ_THREADS_KEY,
        CommonConfigurationKeys.IPC_SERVER_RPC_READ_THREADS_DEFAULT);
  }
  this.readerPendingConnectionQueue = conf.getInt(
      CommonConfigurationKeys.IPC_SERVER_RPC_READ_CONNECTION_QUEUE_SIZE_KEY,
      CommonConfigurationKeys.IPC_SERVER_RPC_READ_CONNECTION_QUEUE_SIZE_DEFAULT);

  // Setup appropriate callqueue
  final String prefix = getQueueClassPrefix();
  this.callQueue = new CallQueueManager<Call>(getQueueClass(prefix, conf),
      maxQueueSize, prefix, conf);

  this.secretManager = (SecretManager<TokenIdentifier>) secretManager;
  this.authorize = 
    conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, 
                    false);

  // configure supported authentications
  this.enabledAuthMethods = getAuthMethods(secretManager, conf);
  this.negotiateResponse = buildNegotiateResponse(enabledAuthMethods);
  
  // Start the listener here and let it bind to the port
  listener = new Listener();
  this.port = listener.getAddress().getPort();    
  connectionManager = new ConnectionManager();
  this.rpcMetrics = RpcMetrics.create(this, conf);
  this.rpcDetailedMetrics = RpcDetailedMetrics.create(this.port);
  this.tcpNoDelay = conf.getBoolean(
      CommonConfigurationKeysPublic.IPC_SERVER_TCPNODELAY_KEY,
      CommonConfigurationKeysPublic.IPC_SERVER_TCPNODELAY_DEFAULT);

  // Create the responder here
  responder = new Responder();
  
  if (secretManager != null || UserGroupInformation.isSecurityEnabled()) {
    SaslRpcServer.init(conf);
    saslPropsResolver = SaslPropertiesResolver.getInstance(conf);
  }
  
  this.exceptionsHandler.addTerseExceptions(StandbyException.class);
}
 
Example 14
Source File: RMAppImpl.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
public RMAppState transition(RMAppImpl app, RMAppEvent event) {

  RMAppRecoverEvent recoverEvent = (RMAppRecoverEvent) event;
  app.recover(recoverEvent.getRMState());
  // The app has completed.
  if (app.recoveredFinalState != null) {
    app.recoverAppAttempts();
    new FinalTransition(app.recoveredFinalState).transition(app, event);
    return app.recoveredFinalState;
  }

  if (UserGroupInformation.isSecurityEnabled()) {
    // synchronously renew delegation token on recovery.
    try {
      app.rmContext.getDelegationTokenRenewer().addApplicationSync(
        app.getApplicationId(), app.parseCredentials(),
        app.submissionContext.getCancelTokensWhenComplete(), app.getUser());
    } catch (Exception e) {
      String msg = "Failed to renew token for " + app.applicationId
              + " on recovery : " + e.getMessage();
      app.diagnostics.append(msg);
      LOG.error(msg, e);
    }
  }

  // No existent attempts means the attempt associated with this app was not
  // started or started but not yet saved.
  if (app.attempts.isEmpty()) {
    app.scheduler.handle(new AppAddedSchedulerEvent(app.applicationId,
      app.submissionContext.getQueue(), app.user,
      app.submissionContext.getReservationID()));
    return RMAppState.SUBMITTED;
  }

  // Add application to scheduler synchronously to guarantee scheduler
  // knows applications before AM or NM re-registers.
  app.scheduler.handle(new AppAddedSchedulerEvent(app.applicationId,
    app.submissionContext.getQueue(), app.user, true,
      app.submissionContext.getReservationID()));

  // recover attempts
  app.recoverAppAttempts();

  // Last attempt is in final state, return ACCEPTED waiting for last
  // RMAppAttempt to send finished or failed event back.
  if (app.currentAttempt != null
      && (app.currentAttempt.getState() == RMAppAttemptState.KILLED
          || app.currentAttempt.getState() == RMAppAttemptState.FINISHED
          || (app.currentAttempt.getState() == RMAppAttemptState.FAILED
              && app.getNumFailedAppAttempts() == app.maxAppAttempts))) {
    return RMAppState.ACCEPTED;
  }

  // YARN-1507 is saving the application state after the application is
  // accepted. So after YARN-1507, an app is saved meaning it is accepted.
  // Thus we return ACCECPTED state on recovery.
  return RMAppState.ACCEPTED;
}
 
Example 15
Source File: RangerAdminJersey2RESTClient.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")");
	}

	UserGroupInformation user = MiscUtil.getUGILoginUser();
	boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();

	String relativeURL = null;
	ServicePolicies servicePolicies = null;
	Response response = null;

	Map<String, String> queryParams = new HashMap<String, String>();
	queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion));
	queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis));
	queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId);
	queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, _clusterName);
	queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, _supportsPolicyDeltas);
	queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities);

	if (isSecureMode) {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Checking Service policy if updated as user : " + user);
		}
		relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + _serviceName;
		final String secureRelativeUrl = relativeURL;
		PrivilegedAction<Response> action = new PrivilegedAction<Response>() {
			public Response run() {
				return get(queryParams, secureRelativeUrl);
			}
		};
		response = user.doAs(action);
	} else {
		if (LOG.isDebugEnabled()) {
			LOG.debug("Checking Service policy if updated with old api call");
		}
		relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + _serviceName;
		response = get(queryParams, relativeURL);
	}

	int httpResponseCode = response == null ? -1 : response.getStatus();
	String body = null;

	switch (httpResponseCode) {
		case 200:
			body = response.readEntity(String.class);

			if (LOG.isDebugEnabled()) {
				LOG.debug("Response from 200 server: " + body);
			}

			Gson gson = getGson();
			servicePolicies = gson.fromJson(body, ServicePolicies.class);

			if (LOG.isDebugEnabled()) {
				LOG.debug("Deserialized response to: " + servicePolicies);
			}
			break;
		case 304:
			LOG.debug("Got response: 304. Ok. Returning null");
			break;
		case -1:
			LOG.warn("Unexpected: Null response from policy server while trying to get policies! Returning null!");
			break;
		case 404: {
			if (response.hasEntity()) {
				body = response.readEntity(String.class);
				if (StringUtils.isNotBlank(body)) {
					RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName, body);
				}
			}
			LOG.warn("Received 404 error code with body:[" + body + "], Ignoring");
			break;
		}
		default:
			body = response.readEntity(String.class);
			LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, relativeURL));
			break;
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + servicePolicies);
	}
	return servicePolicies;
}
 
Example 16
Source File: GcsDtFetcher.java    From hadoop-connectors with Apache License 2.0 4 votes vote down vote up
@Override
public boolean isTokenRequired() {
  return UserGroupInformation.isSecurityEnabled();
}
 
Example 17
Source File: StramUserLogin.java    From attic-apex-core with Apache License 2.0 4 votes vote down vote up
public static void attemptAuthentication(Configuration conf) throws IOException
{
  if (UserGroupInformation.isSecurityEnabled()) {
    authenticate(conf);
  }
}
 
Example 18
Source File: StreamingAppMasterService.java    From Bats with Apache License 2.0 4 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception
{
  LOG.info("Application master" + ", appId=" + appAttemptID.getApplicationId().getId() + ", clustertimestamp=" + appAttemptID.getApplicationId().getClusterTimestamp() + ", attemptId=" + appAttemptID.getAttemptId());

  FileInputStream fis = new FileInputStream("./" + LogicalPlan.SER_FILE_NAME);
  try {
    this.dag = LogicalPlan.read(fis);
  } finally {
    fis.close();
  }
  // "debug" simply dumps all data using LOG.info
  if (dag.isDebug()) {
    dumpOutDebugInfo();
  }
  dag.setAttribute(LogicalPlan.APPLICATION_ATTEMPT_ID, appAttemptID.getAttemptId());
  FSRecoveryHandler recoveryHandler = new FSRecoveryHandler(dag.assertAppPath(), conf);
  this.dnmgr = StreamingContainerManager.getInstance(recoveryHandler, dag, true);
  dag = this.dnmgr.getLogicalPlan();
  this.appContext = new ClusterAppContextImpl(dag.getAttributes());

  Map<Class<?>, Class<? extends StringCodec<?>>> codecs = dag.getAttributes().get(DAG.STRING_CODECS);
  StringCodecs.loadConverters(codecs);

  LOG.info("Starting application with {} operators in {} containers", dnmgr.getPhysicalPlan().getAllOperators().size(), dnmgr.getPhysicalPlan().getContainers().size());

  // Setup security configuration such as that for web security
  SecurityUtils.init(conf, dag.getValue(LogicalPlan.STRAM_HTTP_AUTHENTICATION));

  if (UserGroupInformation.isSecurityEnabled()) {
    // TODO :- Need to perform token renewal
    delegationTokenManager = new StramDelegationTokenManager(DELEGATION_KEY_UPDATE_INTERVAL, DELEGATION_TOKEN_MAX_LIFETIME, DELEGATION_TOKEN_RENEW_INTERVAL, DELEGATION_TOKEN_REMOVER_SCAN_INTERVAL);
  }
  this.nmClient = new NMClientAsyncImpl(new NMCallbackHandler());
  addService(nmClient);
  this.amRmClient = AMRMClient.createAMRMClient();
  addService(amRmClient);

  // start RPC server
  int rpcListenerCount = dag.getValue(DAGContext.HEARTBEAT_LISTENER_THREAD_COUNT);
  this.heartbeatListener = new StreamingContainerParent(this.getClass().getName(), dnmgr, delegationTokenManager, rpcListenerCount);
  addService(heartbeatListener);

  AutoMetric.Transport appDataPushTransport = dag.getValue(LogicalPlan.METRICS_TRANSPORT);
  if (appDataPushTransport != null) {
    this.appDataPushAgent = new AppDataPushAgent(dnmgr, appContext);
    addService(this.appDataPushAgent);
  }
  initApexPluginDispatcher();

  // Initialize all services added above
  super.serviceInit(conf);
}
 
Example 19
Source File: ApplicationMaster.java    From ignite with Apache License 2.0 4 votes vote down vote up
/** {@inheritDoc} */
@Override public synchronized void onContainersAllocated(List<Container> conts) {
    for (Container c : conts) {
        if (checkContainer(c)) {
            log.log(Level.INFO, "Container {0} allocated", c.getId());

            try {
                ContainerLaunchContext ctx = Records.newRecord(ContainerLaunchContext.class);

                if (UserGroupInformation.isSecurityEnabled())
                    // Set the tokens to the newly allocated container:
                    ctx.setTokens(allTokens.duplicate());

                Map<String, String> env = new HashMap<>(ctx.getEnvironment());

                Map<String, String> systemEnv = System.getenv();

                for (String key : systemEnv.keySet()) {
                    if (key.matches("^IGNITE_[_0-9A-Z]+$"))
                        env.put(key, systemEnv.get(key));
                }

                env.put("IGNITE_TCP_DISCOVERY_ADDRESSES", getAddress(c.getNodeId().getHost()));

                if (props.jvmOpts() != null && !props.jvmOpts().isEmpty())
                    env.put("JVM_OPTS", props.jvmOpts());

                ctx.setEnvironment(env);

                Map<String, LocalResource> resources = new HashMap<>();

                resources.put("ignite", IgniteYarnUtils.setupFile(ignitePath, fs, LocalResourceType.ARCHIVE));
                resources.put("ignite-config.xml", IgniteYarnUtils.setupFile(cfgPath, fs, LocalResourceType.FILE));

                if (props.licencePath() != null)
                    resources.put("gridgain-license.xml",
                        IgniteYarnUtils.setupFile(new Path(props.licencePath()), fs, LocalResourceType.FILE));

                if (props.userLibs() != null)
                    resources.put("libs", IgniteYarnUtils.setupFile(new Path(props.userLibs()), fs,
                        LocalResourceType.FILE));

                ctx.setLocalResources(resources);

                ctx.setCommands(
                    Collections.singletonList(
                        (props.licencePath() != null ? "cp gridgain-license.xml ./ignite/*/ || true && " : "")
                        + "cp -r ./libs/* ./ignite/*/libs/ || true && "
                        + "./ignite/*/bin/ignite.sh "
                        + "./ignite-config.xml"
                        + " -J-Xmx" + ((int)props.memoryPerNode()) + "m"
                        + " -J-Xms" + ((int)props.memoryPerNode()) + "m"
                        + IgniteYarnUtils.YARN_LOG_OUT
                    ));

                log.log(Level.INFO, "Launching container: {0}.", c.getId());

                nmClient.startContainer(c, ctx);

                containers.put(c.getId(),
                    new IgniteContainer(
                        c.getId(),
                        c.getNodeId(),
                        c.getResource().getVirtualCores(),
                        c.getResource().getMemory()));
            }
            catch (Exception ex) {
                log.log(Level.WARNING, "Error launching container " + c.getId(), ex);
            }
        }
        else {
            log.log(Level.WARNING, "Container {0} check failed. Releasing...", c.getId());

            rmClient.releaseAssignedContainer(c.getId());
        }
    }
}
 
Example 20
Source File: JspHelper.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Get {@link UserGroupInformation} and possibly the delegation token out of
 * the request.
 * @param context the ServletContext that is serving this request.
 * @param request the http request
 * @param conf configuration
 * @param secureAuthMethod the AuthenticationMethod used in secure mode.
 * @param tryUgiParameter Should it try the ugi parameter?
 * @return a new user from the request
 * @throws AccessControlException if the request has no token
 */
public static UserGroupInformation getUGI(ServletContext context,
    HttpServletRequest request, Configuration conf,
    final AuthenticationMethod secureAuthMethod,
    final boolean tryUgiParameter) throws IOException {
  UserGroupInformation ugi = null;
  final String usernameFromQuery = getUsernameFromQuery(request, tryUgiParameter);
  final String doAsUserFromQuery = request.getParameter(DoAsParam.NAME);
  final String remoteUser;
 
  if (UserGroupInformation.isSecurityEnabled()) {
    remoteUser = request.getRemoteUser();
    final String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME);
    if (tokenString != null) {
      // Token-based connections need only verify the effective user, and
      // disallow proxying to different user.  Proxy authorization checks
      // are not required since the checks apply to issuing a token.
      ugi = getTokenUGI(context, request, tokenString, conf);
      checkUsername(ugi.getShortUserName(), usernameFromQuery);
      checkUsername(ugi.getShortUserName(), doAsUserFromQuery);
    } else if (remoteUser == null) {
      throw new IOException(
          "Security enabled but user not authenticated by filter");
    }
  } else {
    // Security's not on, pull from url or use default web user
    remoteUser = (usernameFromQuery == null)
        ? getDefaultWebUserName(conf) // not specified in request
        : usernameFromQuery;
  }

  if (ugi == null) { // security is off, or there's no token
    ugi = UserGroupInformation.createRemoteUser(remoteUser);
    checkUsername(ugi.getShortUserName(), usernameFromQuery);
    if (UserGroupInformation.isSecurityEnabled()) {
      // This is not necessarily true, could have been auth'ed by user-facing
      // filter
      ugi.setAuthenticationMethod(secureAuthMethod);
    }
    if (doAsUserFromQuery != null) {
      // create and attempt to authorize a proxy user
      ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
      ProxyUsers.authorize(ugi, getRemoteAddr(request));
    }
  }
  
  if(LOG.isDebugEnabled())
    LOG.debug("getUGI is returning: " + ugi.getShortUserName());
  return ugi;
}