org.apache.hadoop.yarn.security.YarnAuthorizationProvider Java Examples

The following examples show how to use org.apache.hadoop.yarn.security.YarnAuthorizationProvider. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RangerYarnAuthorizer.java    From ranger with Apache License 2.0 6 votes vote down vote up
private void init(){
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerYarnAuthorizer.init()");
	}

	try {
		
		rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());
		
		@SuppressWarnings("unchecked")
		Class<YarnAuthorizationProvider> cls = (Class<YarnAuthorizationProvider>) Class.forName(RANGER_YARN_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);

		activatePluginClassLoader();

		yarnAuthorizationProviderImpl = cls.newInstance();
	} catch (Exception e) {
		// check what need to be done
		LOG.error("Error Enabling RangerYarnPlugin", e);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerYarnAuthorizer.init()");
	}
}
 
Example #2
Source File: AdminService.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public void serviceInit(Configuration conf) throws Exception {
  if (rmContext.isHAEnabled()) {
    autoFailoverEnabled = HAUtil.isAutomaticFailoverEnabled(conf);
    if (autoFailoverEnabled) {
      if (HAUtil.isAutomaticFailoverEmbedded(conf)) {
        embeddedElector = createEmbeddedElectorService();
        addIfService(embeddedElector);
      }
    }
  }

  masterServiceBindAddress = conf.getSocketAddr(
      YarnConfiguration.RM_BIND_HOST,
      YarnConfiguration.RM_ADMIN_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
  daemonUser = UserGroupInformation.getCurrentUser();
  authorizer = YarnAuthorizationProvider.getInstance(conf);
  authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
      .getCurrentUser());
  rmId = conf.get(YarnConfiguration.RM_HA_ID);
  super.serviceInit(conf);
}
 
Example #3
Source File: AdminService.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public void serviceInit(Configuration conf) throws Exception {
  if (rmContext.isHAEnabled()) {
    autoFailoverEnabled = HAUtil.isAutomaticFailoverEnabled(conf);
    if (autoFailoverEnabled) {
      if (HAUtil.isAutomaticFailoverEmbedded(conf)) {
        embeddedElector = createEmbeddedElectorService();
        addIfService(embeddedElector);
      }
    }
  }

  masterServiceBindAddress = conf.getSocketAddr(
      YarnConfiguration.RM_BIND_HOST,
      YarnConfiguration.RM_ADMIN_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
      YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
  daemonUser = UserGroupInformation.getCurrentUser();
  authorizer = YarnAuthorizationProvider.getInstance(conf);
  authorizer.setAdmins(getAdminAclList(conf), UserGroupInformation
      .getCurrentUser());
  rmId = conf.get(YarnConfiguration.RM_HA_ID);
  super.serviceInit(conf);
}
 
Example #4
Source File: RMServerUtils.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Utility method to verify if the current user has access based on the
 * passed {@link AccessControlList}
 * @param authorizer the {@link AccessControlList} to check against
 * @param method the method name to be logged
 * @param module like AdminService or NodeLabelManager
 * @param LOG the logger to use
 * @return {@link UserGroupInformation} of the current user
 * @throws IOException
 */
public static UserGroupInformation verifyAdminAccess(
    YarnAuthorizationProvider authorizer, String method, String module,
    final Log LOG)
    throws IOException {
  UserGroupInformation user;
  try {
    user = UserGroupInformation.getCurrentUser();
  } catch (IOException ioe) {
    LOG.warn("Couldn't get current user", ioe);
    RMAuditLogger.logFailure("UNKNOWN", method, "",
        "AdminService", "Couldn't get current user");
    throw ioe;
  }

  if (!authorizer.isAdmin(user)) {
    LOG.warn("User " + user.getShortUserName() + " doesn't have permission" +
        " to call '" + method + "'");

    RMAuditLogger.logFailure(user.getShortUserName(), method, "", module,
      RMAuditLogger.AuditConstants.UNAUTHORIZED_USER);

    throw new AccessControlException("User " + user.getShortUserName() +
            " doesn't have permission" +
            " to call '" + method + "'");
  }
  if (LOG.isTraceEnabled()) {
    LOG.trace(method + " invoked by user " + user.getShortUserName());
  }
  return user;
}
 
Example #5
Source File: CapacityScheduler.java    From hadoop with Apache License 2.0 5 votes vote down vote up
private synchronized void initScheduler(Configuration configuration) throws
    IOException {
  this.conf = loadCapacitySchedulerConfiguration(configuration);
  validateConf(this.conf);
  this.minimumAllocation = this.conf.getMinimumAllocation();
  initMaximumResourceCapability(this.conf.getMaximumAllocation());
  this.calculator = this.conf.getResourceCalculator();
  this.usePortForNodeName = this.conf.getUsePortForNodeName();
  this.applications =
      new ConcurrentHashMap<ApplicationId,
          SchedulerApplication<FiCaSchedulerApp>>();
  this.labelManager = rmContext.getNodeLabelManager();
  authorizer = YarnAuthorizationProvider.getInstance(yarnConf);
  initializeQueues(this.conf);

  scheduleAsynchronously = this.conf.getScheduleAynschronously();
  asyncScheduleInterval =
      this.conf.getLong(ASYNC_SCHEDULER_INTERVAL,
          DEFAULT_ASYNC_SCHEDULER_INTERVAL);
  if (scheduleAsynchronously) {
    asyncSchedulerThread = new AsyncScheduleThread(this);
  }

  LOG.info("Initialized CapacityScheduler with " +
      "calculator=" + getResourceCalculator().getClass() + ", " +
      "minimumAllocation=<" + getMinimumResourceCapability() + ">, " +
      "maximumAllocation=<" + getMaximumResourceCapability() + ">, " +
      "asynchronousScheduling=" + scheduleAsynchronously + ", " +
      "asyncScheduleInterval=" + asyncScheduleInterval + "ms");
}
 
Example #6
Source File: CapacityScheduler.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@VisibleForTesting
public static void setQueueAcls(YarnAuthorizationProvider authorizer,
    Map<String, CSQueue> queues) throws IOException {
  for (CSQueue queue : queues.values()) {
    AbstractCSQueue csQueue = (AbstractCSQueue) queue;
    authorizer.setPermission(csQueue.getPrivilegedEntity(),
      csQueue.getACLs(), UserGroupInformation.getCurrentUser());
  }
}
 
Example #7
Source File: CapacityScheduler.java    From big-c with Apache License 2.0 5 votes vote down vote up
@VisibleForTesting
public static void setQueueAcls(YarnAuthorizationProvider authorizer,
    Map<String, CSQueue> queues) throws IOException {
  for (CSQueue queue : queues.values()) {
    AbstractCSQueue csQueue = (AbstractCSQueue) queue;
    authorizer.setPermission(csQueue.getPrivilegedEntity(),
      csQueue.getACLs(), UserGroupInformation.getCurrentUser());
  }
}
 
Example #8
Source File: CapacityScheduler.java    From big-c with Apache License 2.0 5 votes vote down vote up
private synchronized void initScheduler(Configuration configuration) throws
    IOException {
  this.conf = loadCapacitySchedulerConfiguration(configuration);
  validateConf(this.conf);
  this.minimumAllocation = this.conf.getMinimumAllocation();
  initMaximumResourceCapability(this.conf.getMaximumAllocation());
  this.calculator = this.conf.getResourceCalculator();
  this.usePortForNodeName = this.conf.getUsePortForNodeName();
  
  this.nodeContainerUpdateMap = new HashMap<NodeId, ConcurrentLinkedQueue<NodeContainerUpdate>>();
 
  this.applications =
      new ConcurrentHashMap<ApplicationId,
          SchedulerApplication<FiCaSchedulerApp>>();
  this.labelManager = rmContext.getNodeLabelManager();
  authorizer = YarnAuthorizationProvider.getInstance(yarnConf);
  initializeQueues(this.conf);

  scheduleAsynchronously = this.conf.getScheduleAynschronously();
  asyncScheduleInterval =
      this.conf.getLong(ASYNC_SCHEDULER_INTERVAL,
          DEFAULT_ASYNC_SCHEDULER_INTERVAL);
  if (scheduleAsynchronously) {
    asyncSchedulerThread = new AsyncScheduleThread(this);
  }

  LOG.info("Initialized CapacityScheduler with " +
      "calculator=" + getResourceCalculator().getClass() + ", " +
      "minimumAllocation=<" + getMinimumResourceCapability() + ">, " +
      "maximumAllocation=<" + getMaximumResourceCapability() + ">, " +
      "asynchronousScheduling=" + scheduleAsynchronously + ", " +
      "asyncScheduleInterval=" + asyncScheduleInterval + "ms");
}
 
Example #9
Source File: RMServerUtils.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Utility method to verify if the current user has access based on the
 * passed {@link AccessControlList}
 * @param authorizer the {@link AccessControlList} to check against
 * @param method the method name to be logged
 * @param module like AdminService or NodeLabelManager
 * @param LOG the logger to use
 * @return {@link UserGroupInformation} of the current user
 * @throws IOException
 */
public static UserGroupInformation verifyAdminAccess(
    YarnAuthorizationProvider authorizer, String method, String module,
    final Log LOG)
    throws IOException {
  UserGroupInformation user;
  try {
    user = UserGroupInformation.getCurrentUser();
  } catch (IOException ioe) {
    LOG.warn("Couldn't get current user", ioe);
    RMAuditLogger.logFailure("UNKNOWN", method, "",
        "AdminService", "Couldn't get current user");
    throw ioe;
  }

  if (!authorizer.isAdmin(user)) {
    LOG.warn("User " + user.getShortUserName() + " doesn't have permission" +
        " to call '" + method + "'");

    RMAuditLogger.logFailure(user.getShortUserName(), method, "", module,
      RMAuditLogger.AuditConstants.UNAUTHORIZED_USER);

    throw new AccessControlException("User " + user.getShortUserName() +
            " doesn't have permission" +
            " to call '" + method + "'");
  }
  if (LOG.isTraceEnabled()) {
    LOG.trace(method + " invoked by user " + user.getShortUserName());
  }
  return user;
}
 
Example #10
Source File: SCMAdminProtocolService.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception {
  this.clientBindAddress = getBindAddress(conf);
  authorizer = YarnAuthorizationProvider.getInstance(conf);
  super.serviceInit(conf);
}
 
Example #11
Source File: TestParentQueue.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testQueueAcl() throws Exception {
 
  setupMultiLevelQueues(csConf);
  csConf.setAcl(CapacitySchedulerConfiguration.ROOT, QueueACL.SUBMIT_APPLICATIONS, " ");
  csConf.setAcl(CapacitySchedulerConfiguration.ROOT, QueueACL.ADMINISTER_QUEUE, " ");

  final String Q_C = CapacitySchedulerConfiguration.ROOT + "." + C;
  csConf.setAcl(Q_C, QueueACL.ADMINISTER_QUEUE, "*");
  final String Q_C11= Q_C + "." + C1 +  "." + C11;
  csConf.setAcl(Q_C11, QueueACL.SUBMIT_APPLICATIONS, "*");

  Map<String, CSQueue> queues = new HashMap<String, CSQueue>();
  CSQueue root = 
      CapacityScheduler.parseQueue(csContext, csConf, null, 
          CapacitySchedulerConfiguration.ROOT, queues, queues, 
          TestUtils.spyHook);
  YarnAuthorizationProvider authorizer =
      YarnAuthorizationProvider.getInstance(conf);
  CapacityScheduler.setQueueAcls(authorizer, queues);

  UserGroupInformation user = UserGroupInformation.getCurrentUser();
  // Setup queue configs
  ParentQueue c = (ParentQueue)queues.get(C);
  ParentQueue c1 = (ParentQueue)queues.get(C1);
  ParentQueue c11 = (ParentQueue)queues.get(C11);
  ParentQueue c111 = (ParentQueue)queues.get(C111);

  assertFalse(root.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  List<QueueUserACLInfo> aclInfos = root.getQueueUserAclInfo(user);
  assertFalse(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "root"));
  
  assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "root"));

  // c has no SA, but QA
  assertTrue(c.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c"));
  assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c"));

  //Queue c1 has QA, no SA (gotten perm from parent)
  assertTrue(c1.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); 
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c1"));
  assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); 
  assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c1"));

  //Queue c11 has permissions from parent queue and SA
  assertTrue(c11.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c11"));
  assertTrue(c11.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c11"));

  //Queue c111 has SA and AQ, both from parent
  assertTrue(c111.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c111"));
  assertTrue(c111.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c111"));

  reset(c);
}
 
Example #12
Source File: AbstractCSQueue.java    From big-c with Apache License 2.0 4 votes vote down vote up
synchronized void setupQueueConfigs(Resource clusterResource)
    throws IOException {
  // get labels
  this.accessibleLabels =
      csContext.getConfiguration().getAccessibleNodeLabels(getQueuePath());
  this.defaultLabelExpression = csContext.getConfiguration()
      .getDefaultNodeLabelExpression(getQueuePath());

  // inherit from parent if labels not set
  if (this.accessibleLabels == null && parent != null) {
    this.accessibleLabels = parent.getAccessibleNodeLabels();
  }
  
  // inherit from parent if labels not set
  if (this.defaultLabelExpression == null && parent != null
      && this.accessibleLabels.containsAll(parent.getAccessibleNodeLabels())) {
    this.defaultLabelExpression = parent.getDefaultNodeLabelExpression();
  }

  // After we setup labels, we can setup capacities
  setupConfigurableCapacities();
  
  this.maximumAllocation =
      csContext.getConfiguration().getMaximumAllocationPerQueue(
          getQueuePath());
  
  authorizer = YarnAuthorizationProvider.getInstance(csContext.getConf());
  
  this.state = csContext.getConfiguration().getState(getQueuePath());
  this.acls = csContext.getConfiguration().getAcls(getQueuePath());

  // Update metrics
  CSQueueUtils.updateQueueStatistics(
      resourceCalculator, this, parent, clusterResource, minimumAllocation);
  
  // Check if labels of this queue is a subset of parent queue, only do this
  // when we not root
  if (parent != null && parent.getParent() != null) {
    if (parent.getAccessibleNodeLabels() != null
        && !parent.getAccessibleNodeLabels().contains(RMNodeLabelsManager.ANY)) {
      // if parent isn't "*", child shouldn't be "*" too
      if (this.getAccessibleNodeLabels().contains(RMNodeLabelsManager.ANY)) {
        throw new IOException("Parent's accessible queue is not ANY(*), "
            + "but child's accessible queue is *");
      } else {
        Set<String> diff =
            Sets.difference(this.getAccessibleNodeLabels(),
                parent.getAccessibleNodeLabels());
        if (!diff.isEmpty()) {
          throw new IOException("Some labels of child queue is not a subset "
              + "of parent queue, these labels=["
              + StringUtils.join(diff, ",") + "]");
        }
      }
    }
  }

  this.reservationsContinueLooking = csContext.getConfiguration()
      .getReservationContinueLook();

  this.preemptionDisabled = isQueueHierarchyPreemptionDisabled(this);
}
 
Example #13
Source File: RMServerUtils.java    From big-c with Apache License 2.0 4 votes vote down vote up
public static UserGroupInformation verifyAdminAccess(
    YarnAuthorizationProvider authorizer, String method, final Log LOG)
    throws IOException {
  // by default, this method will use AdminService as module name
  return verifyAdminAccess(authorizer, method, "AdminService", LOG);
}
 
Example #14
Source File: RMNodeLabelsManager.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception {
  super.serviceInit(conf);
  authorizer = YarnAuthorizationProvider.getInstance(conf);
}
 
Example #15
Source File: SCMAdminProtocolService.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception {
  this.clientBindAddress = getBindAddress(conf);
  authorizer = YarnAuthorizationProvider.getInstance(conf);
  super.serviceInit(conf);
}
 
Example #16
Source File: TestParentQueue.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testQueueAcl() throws Exception {
 
  setupMultiLevelQueues(csConf);
  csConf.setAcl(CapacitySchedulerConfiguration.ROOT, QueueACL.SUBMIT_APPLICATIONS, " ");
  csConf.setAcl(CapacitySchedulerConfiguration.ROOT, QueueACL.ADMINISTER_QUEUE, " ");

  final String Q_C = CapacitySchedulerConfiguration.ROOT + "." + C;
  csConf.setAcl(Q_C, QueueACL.ADMINISTER_QUEUE, "*");
  final String Q_C11= Q_C + "." + C1 +  "." + C11;
  csConf.setAcl(Q_C11, QueueACL.SUBMIT_APPLICATIONS, "*");

  Map<String, CSQueue> queues = new HashMap<String, CSQueue>();
  CSQueue root = 
      CapacityScheduler.parseQueue(csContext, csConf, null, 
          CapacitySchedulerConfiguration.ROOT, queues, queues, 
          TestUtils.spyHook);
  YarnAuthorizationProvider authorizer =
      YarnAuthorizationProvider.getInstance(conf);
  CapacityScheduler.setQueueAcls(authorizer, queues);

  UserGroupInformation user = UserGroupInformation.getCurrentUser();
  // Setup queue configs
  ParentQueue c = (ParentQueue)queues.get(C);
  ParentQueue c1 = (ParentQueue)queues.get(C1);
  ParentQueue c11 = (ParentQueue)queues.get(C11);
  ParentQueue c111 = (ParentQueue)queues.get(C111);

  assertFalse(root.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  List<QueueUserACLInfo> aclInfos = root.getQueueUserAclInfo(user);
  assertFalse(hasQueueACL(aclInfos, QueueACL.ADMINISTER_QUEUE, "root"));
  
  assertFalse(root.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "root"));

  // c has no SA, but QA
  assertTrue(c.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c"));
  assertFalse(c.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c"));

  //Queue c1 has QA, no SA (gotten perm from parent)
  assertTrue(c1.hasAccess(QueueACL.ADMINISTER_QUEUE, user)); 
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c1"));
  assertFalse(c1.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user)); 
  assertFalse(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c1"));

  //Queue c11 has permissions from parent queue and SA
  assertTrue(c11.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c11"));
  assertTrue(c11.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c11"));

  //Queue c111 has SA and AQ, both from parent
  assertTrue(c111.hasAccess(QueueACL.ADMINISTER_QUEUE, user));
  assertTrue(hasQueueACL(aclInfos,  QueueACL.ADMINISTER_QUEUE, "c111"));
  assertTrue(c111.hasAccess(QueueACL.SUBMIT_APPLICATIONS, user));
  assertTrue(hasQueueACL(aclInfos, QueueACL.SUBMIT_APPLICATIONS, "c111"));

  reset(c);
}
 
Example #17
Source File: AbstractCSQueue.java    From hadoop with Apache License 2.0 4 votes vote down vote up
synchronized void setupQueueConfigs(Resource clusterResource)
    throws IOException {
  // get labels
  this.accessibleLabels =
      csContext.getConfiguration().getAccessibleNodeLabels(getQueuePath());
  this.defaultLabelExpression = csContext.getConfiguration()
      .getDefaultNodeLabelExpression(getQueuePath());

  // inherit from parent if labels not set
  if (this.accessibleLabels == null && parent != null) {
    this.accessibleLabels = parent.getAccessibleNodeLabels();
  }
  
  // inherit from parent if labels not set
  if (this.defaultLabelExpression == null && parent != null
      && this.accessibleLabels.containsAll(parent.getAccessibleNodeLabels())) {
    this.defaultLabelExpression = parent.getDefaultNodeLabelExpression();
  }

  // After we setup labels, we can setup capacities
  setupConfigurableCapacities();
  
  this.maximumAllocation =
      csContext.getConfiguration().getMaximumAllocationPerQueue(
          getQueuePath());
  
  authorizer = YarnAuthorizationProvider.getInstance(csContext.getConf());
  
  this.state = csContext.getConfiguration().getState(getQueuePath());
  this.acls = csContext.getConfiguration().getAcls(getQueuePath());

  // Update metrics
  CSQueueUtils.updateQueueStatistics(
      resourceCalculator, this, parent,
      labelManager.getResourceByLabel(RMNodeLabelsManager.NO_LABEL, clusterResource), minimumAllocation);
  
  // Check if labels of this queue is a subset of parent queue, only do this
  // when we not root
  if (parent != null && parent.getParent() != null) {
    if (parent.getAccessibleNodeLabels() != null
        && !parent.getAccessibleNodeLabels().contains(RMNodeLabelsManager.ANY)) {
      // if parent isn't "*", child shouldn't be "*" too
      if (this.getAccessibleNodeLabels().contains(RMNodeLabelsManager.ANY)) {
        throw new IOException("Parent's accessible queue is not ANY(*), "
            + "but child's accessible queue is *");
      } else {
        Set<String> diff =
            Sets.difference(this.getAccessibleNodeLabels(),
                parent.getAccessibleNodeLabels());
        if (!diff.isEmpty()) {
          throw new IOException("Some labels of child queue is not a subset "
              + "of parent queue, these labels=["
              + StringUtils.join(diff, ",") + "]");
        }
      }
    }
  }

  this.reservationsContinueLooking = csContext.getConfiguration()
      .getReservationContinueLook();

  this.preemptionDisabled = isQueueHierarchyPreemptionDisabled(this);
  this.cr = clusterResource;
}
 
Example #18
Source File: RMServerUtils.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public static UserGroupInformation verifyAdminAccess(
    YarnAuthorizationProvider authorizer, String method, final Log LOG)
    throws IOException {
  // by default, this method will use AdminService as module name
  return verifyAdminAccess(authorizer, method, "AdminService", LOG);
}
 
Example #19
Source File: RMNodeLabelsManager.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Override
protected void serviceInit(Configuration conf) throws Exception {
  super.serviceInit(conf);
  authorizer = YarnAuthorizationProvider.getInstance(conf);
}