branch-2.0.4-alpha/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/AdminService.java - hadoop - Git at Google

 /**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

 package org.apache.hadoop.yarn.server.resourcemanager;

 import java.io.IOException;
 import java.net.InetSocketAddress;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
 import org.apache.hadoop.ipc.Server;
 import org.apache.hadoop.security.AccessControlException;
 import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authorize.AccessControlList;
 import org.apache.hadoop.security.authorize.PolicyProvider;
 import org.apache.hadoop.security.authorize.ProxyUsers;
 import org.apache.hadoop.yarn.api.RMAdminProtocol;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshAdminAclsRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshAdminAclsResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshNodesRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshNodesResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshQueuesRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshQueuesResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshServiceAclsRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshServiceAclsResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshSuperUserGroupsConfigurationRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshSuperUserGroupsConfigurationResponse;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshUserToGroupsMappingsRequest;
 import org.apache.hadoop.yarn.api.protocolrecords.RefreshUserToGroupsMappingsResponse;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
 import org.apache.hadoop.yarn.factories.RecordFactory;
 import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
 import org.apache.hadoop.yarn.ipc.RPCUtil;
 import org.apache.hadoop.yarn.ipc.YarnRPC;
 import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
 import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider;
 import org.apache.hadoop.yarn.service.AbstractService;

 public class AdminService extends AbstractService implements RMAdminProtocol {

   private static final Log LOG = LogFactory.getLog(AdminService.class);

   private final Configuration conf;
   private final ResourceScheduler scheduler;
   private final RMContext rmContext;
   private final NodesListManager nodesListManager;

   private final ClientRMService clientRMService;
   private final ApplicationMasterService applicationMasterService;
   private final ResourceTrackerService resourceTrackerService;

   private Server server;
   private InetSocketAddress masterServiceAddress;
   private AccessControlList adminAcl;

   private final RecordFactory recordFactory =
     RecordFactoryProvider.getRecordFactory(null);

   public AdminService(Configuration conf, ResourceScheduler scheduler,
       RMContext rmContext, NodesListManager nodesListManager,
       ClientRMService clientRMService,
       ApplicationMasterService applicationMasterService,
       ResourceTrackerService resourceTrackerService) {
     super(AdminService.class.getName());
     this.conf = conf;
     this.scheduler = scheduler;
     this.rmContext = rmContext;
     this.nodesListManager = nodesListManager;
     this.clientRMService = clientRMService;
     this.applicationMasterService = applicationMasterService;
     this.resourceTrackerService = resourceTrackerService;
   }

   @Override
   public void init(Configuration conf) {
     super.init(conf);
     masterServiceAddress = conf.getSocketAddr(
         YarnConfiguration.RM_ADMIN_ADDRESS,
         YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
         YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
     adminAcl = new AccessControlList(conf.get(
         YarnConfiguration.YARN_ADMIN_ACL,
         YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
   }

   public void start() {
     Configuration conf = getConfig();
     YarnRPC rpc = YarnRPC.create(conf);
     this.server =
       rpc.getServer(RMAdminProtocol.class, this, masterServiceAddress,
           conf, null,
           conf.getInt(YarnConfiguration.RM_ADMIN_CLIENT_THREAD_COUNT,
               YarnConfiguration.DEFAULT_RM_ADMIN_CLIENT_THREAD_COUNT));

     // Enable service authorization?
     if (conf.getBoolean(
         CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
         false)) {
       refreshServiceAcls(conf, new RMPolicyProvider());
     }

     this.server.start();
     conf.updateConnectAddr(YarnConfiguration.RM_ADMIN_ADDRESS,
                            server.getListenerAddress());
     super.start();
   }

   @Override
   public void stop() {
     if (this.server != null) {
       this.server.stop();
     }
     super.stop();
   }

   private UserGroupInformation checkAcls(String method) throws YarnRemoteException {
     UserGroupInformation user;
     try {
       user = UserGroupInformation.getCurrentUser();
     } catch (IOException ioe) {
       LOG.warn("Couldn't get current user", ioe);

       RMAuditLogger.logFailure("UNKNOWN", method,
           adminAcl.toString(), "AdminService",
           "Couldn't get current user");
       throw RPCUtil.getRemoteException(ioe);
     }

     if (!adminAcl.isUserAllowed(user)) {
       LOG.warn("User " + user.getShortUserName() + " doesn't have permission" +
       " to call '" + method + "'");

       RMAuditLogger.logFailure(user.getShortUserName(), method,
           adminAcl.toString(), "AdminService",
           AuditConstants.UNAUTHORIZED_USER);

       throw RPCUtil.getRemoteException(
           new AccessControlException("User " + user.getShortUserName() +
               " doesn't have permission" +
               " to call '" + method + "'")
           );
     }
     LOG.info("RM Admin: " + method + " invoked by user " +
         user.getShortUserName());

     return user;
   }

   @Override
   public RefreshQueuesResponse refreshQueues(RefreshQueuesRequest request)
       throws YarnRemoteException {
     UserGroupInformation user = checkAcls("refreshQueues");
     try {
       scheduler.reinitialize(conf, this.rmContext);
       RMAuditLogger.logSuccess(user.getShortUserName(), "refreshQueues",
           "AdminService");
       return recordFactory.newRecordInstance(RefreshQueuesResponse.class);
     } catch (IOException ioe) {
       LOG.info("Exception refreshing queues ", ioe);
       RMAuditLogger.logFailure(user.getShortUserName(), "refreshQueues",
           adminAcl.toString(), "AdminService",
           "Exception refreshing queues");
       throw RPCUtil.getRemoteException(ioe);
     }
   }

   @Override
   public RefreshNodesResponse refreshNodes(RefreshNodesRequest request)
       throws YarnRemoteException {
     UserGroupInformation user = checkAcls("refreshNodes");
     try {
       this.nodesListManager.refreshNodes(new YarnConfiguration());
       RMAuditLogger.logSuccess(user.getShortUserName(), "refreshNodes",
           "AdminService");
       return recordFactory.newRecordInstance(RefreshNodesResponse.class);
     } catch (IOException ioe) {
       LOG.info("Exception refreshing nodes ", ioe);
       RMAuditLogger.logFailure(user.getShortUserName(), "refreshNodes",
           adminAcl.toString(), "AdminService", "Exception refreshing nodes");
       throw RPCUtil.getRemoteException(ioe);
     }
   }

   @Override
   public RefreshSuperUserGroupsConfigurationResponse refreshSuperUserGroupsConfiguration(
       RefreshSuperUserGroupsConfigurationRequest request)
       throws YarnRemoteException {
     UserGroupInformation user = checkAcls("refreshSuperUserGroupsConfiguration");

     ProxyUsers.refreshSuperUserGroupsConfiguration(new Configuration());
     RMAuditLogger.logSuccess(user.getShortUserName(),
         "refreshSuperUserGroupsConfiguration", "AdminService");

     return recordFactory.newRecordInstance(
         RefreshSuperUserGroupsConfigurationResponse.class);
   }

   @Override
   public RefreshUserToGroupsMappingsResponse refreshUserToGroupsMappings(
       RefreshUserToGroupsMappingsRequest request) throws YarnRemoteException {
     UserGroupInformation user = checkAcls("refreshUserToGroupsMappings");

     Groups.getUserToGroupsMappingService().refresh();
     RMAuditLogger.logSuccess(user.getShortUserName(),
         "refreshUserToGroupsMappings", "AdminService");

     return recordFactory.newRecordInstance(
         RefreshUserToGroupsMappingsResponse.class);
   }

   @Override
   public RefreshAdminAclsResponse refreshAdminAcls(
       RefreshAdminAclsRequest request) throws YarnRemoteException {
     UserGroupInformation user = checkAcls("refreshAdminAcls");

     Configuration conf = new Configuration();
     adminAcl = new AccessControlList(conf.get(
         YarnConfiguration.YARN_ADMIN_ACL,
         YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
     RMAuditLogger.logSuccess(user.getShortUserName(), "refreshAdminAcls",
         "AdminService");

     return recordFactory.newRecordInstance(RefreshAdminAclsResponse.class);
   }

   @Override
   public RefreshServiceAclsResponse refreshServiceAcls(
       RefreshServiceAclsRequest request) throws YarnRemoteException {
     Configuration conf = new Configuration();
     if (!conf.getBoolean(
              CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
              false)) {
       throw RPCUtil.getRemoteException(
           new IOException("Service Authorization (" +
               CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION +
               ") not enabled."));
     }

     PolicyProvider policyProvider = new RMPolicyProvider();

     refreshServiceAcls(conf, policyProvider);
     clientRMService.refreshServiceAcls(conf, policyProvider);
     applicationMasterService.refreshServiceAcls(conf, policyProvider);
     resourceTrackerService.refreshServiceAcls(conf, policyProvider);

     return recordFactory.newRecordInstance(RefreshServiceAclsResponse.class);
   }

   void refreshServiceAcls(Configuration configuration,
       PolicyProvider policyProvider) {
     this.server.refreshServiceAcl(configuration, policyProvider);
   }

   @Override
   public String[] getGroupsForUser(String user) throws IOException {
     return UserGroupInformation.createRemoteUser(user).getGroupNames();
   }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.yarn.server.resourcemanager;

	import java.io.IOException;
	import java.net.InetSocketAddress;

	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
	import org.apache.hadoop.ipc.Server;
	import org.apache.hadoop.security.AccessControlException;
	import org.apache.hadoop.security.Groups;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.security.authorize.AccessControlList;
	import org.apache.hadoop.security.authorize.PolicyProvider;
	import org.apache.hadoop.security.authorize.ProxyUsers;
	import org.apache.hadoop.yarn.api.RMAdminProtocol;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshAdminAclsRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshAdminAclsResponse;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshNodesRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshNodesResponse;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshQueuesRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshQueuesResponse;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshServiceAclsRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshServiceAclsResponse;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshSuperUserGroupsConfigurationRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshSuperUserGroupsConfigurationResponse;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshUserToGroupsMappingsRequest;
	import org.apache.hadoop.yarn.api.protocolrecords.RefreshUserToGroupsMappingsResponse;
	import org.apache.hadoop.yarn.conf.YarnConfiguration;
	import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
	import org.apache.hadoop.yarn.factories.RecordFactory;
	import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
	import org.apache.hadoop.yarn.ipc.RPCUtil;
	import org.apache.hadoop.yarn.ipc.YarnRPC;
	import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
	import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
	import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider;
	import org.apache.hadoop.yarn.service.AbstractService;

	public class AdminService extends AbstractService implements RMAdminProtocol {

	private static final Log LOG = LogFactory.getLog(AdminService.class);

	private final Configuration conf;
	private final ResourceScheduler scheduler;
	private final RMContext rmContext;
	private final NodesListManager nodesListManager;

	private final ClientRMService clientRMService;
	private final ApplicationMasterService applicationMasterService;
	private final ResourceTrackerService resourceTrackerService;

	private Server server;
	private InetSocketAddress masterServiceAddress;
	private AccessControlList adminAcl;

	private final RecordFactory recordFactory =
	RecordFactoryProvider.getRecordFactory(null);

	public AdminService(Configuration conf, ResourceScheduler scheduler,
	RMContext rmContext, NodesListManager nodesListManager,
	ClientRMService clientRMService,
	ApplicationMasterService applicationMasterService,
	ResourceTrackerService resourceTrackerService) {
	super(AdminService.class.getName());
	this.conf = conf;
	this.scheduler = scheduler;
	this.rmContext = rmContext;
	this.nodesListManager = nodesListManager;
	this.clientRMService = clientRMService;
	this.applicationMasterService = applicationMasterService;
	this.resourceTrackerService = resourceTrackerService;
	}

	@Override
	public void init(Configuration conf) {
	super.init(conf);
	masterServiceAddress = conf.getSocketAddr(
	YarnConfiguration.RM_ADMIN_ADDRESS,
	YarnConfiguration.DEFAULT_RM_ADMIN_ADDRESS,
	YarnConfiguration.DEFAULT_RM_ADMIN_PORT);
	adminAcl = new AccessControlList(conf.get(
	YarnConfiguration.YARN_ADMIN_ACL,
	YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
	}

	public void start() {
	Configuration conf = getConfig();
	YarnRPC rpc = YarnRPC.create(conf);
	this.server =
	rpc.getServer(RMAdminProtocol.class, this, masterServiceAddress,
	conf, null,
	conf.getInt(YarnConfiguration.RM_ADMIN_CLIENT_THREAD_COUNT,
	YarnConfiguration.DEFAULT_RM_ADMIN_CLIENT_THREAD_COUNT));

	// Enable service authorization?
	if (conf.getBoolean(
	CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
	false)) {
	refreshServiceAcls(conf, new RMPolicyProvider());
	}

	this.server.start();
	conf.updateConnectAddr(YarnConfiguration.RM_ADMIN_ADDRESS,
	server.getListenerAddress());
	super.start();
	}

	@Override
	public void stop() {
	if (this.server != null) {
	this.server.stop();
	}
	super.stop();
	}

	private UserGroupInformation checkAcls(String method) throws YarnRemoteException {
	UserGroupInformation user;
	try {
	user = UserGroupInformation.getCurrentUser();
	} catch (IOException ioe) {
	LOG.warn("Couldn't get current user", ioe);

	RMAuditLogger.logFailure("UNKNOWN", method,
	adminAcl.toString(), "AdminService",
	"Couldn't get current user");
	throw RPCUtil.getRemoteException(ioe);
	}

	if (!adminAcl.isUserAllowed(user)) {
	LOG.warn("User " + user.getShortUserName() + " doesn't have permission" +
	" to call '" + method + "'");

	RMAuditLogger.logFailure(user.getShortUserName(), method,
	adminAcl.toString(), "AdminService",
	AuditConstants.UNAUTHORIZED_USER);

	throw RPCUtil.getRemoteException(
	new AccessControlException("User " + user.getShortUserName() +
	" doesn't have permission" +
	" to call '" + method + "'")
	);
	}
	LOG.info("RM Admin: " + method + " invoked by user " +
	user.getShortUserName());

	return user;
	}

	@Override
	public RefreshQueuesResponse refreshQueues(RefreshQueuesRequest request)
	throws YarnRemoteException {
	UserGroupInformation user = checkAcls("refreshQueues");
	try {
	scheduler.reinitialize(conf, this.rmContext);
	RMAuditLogger.logSuccess(user.getShortUserName(), "refreshQueues",
	"AdminService");
	return recordFactory.newRecordInstance(RefreshQueuesResponse.class);
	} catch (IOException ioe) {
	LOG.info("Exception refreshing queues ", ioe);
	RMAuditLogger.logFailure(user.getShortUserName(), "refreshQueues",
	adminAcl.toString(), "AdminService",
	"Exception refreshing queues");
	throw RPCUtil.getRemoteException(ioe);
	}
	}

	@Override
	public RefreshNodesResponse refreshNodes(RefreshNodesRequest request)
	throws YarnRemoteException {
	UserGroupInformation user = checkAcls("refreshNodes");
	try {
	this.nodesListManager.refreshNodes(new YarnConfiguration());
	RMAuditLogger.logSuccess(user.getShortUserName(), "refreshNodes",
	"AdminService");
	return recordFactory.newRecordInstance(RefreshNodesResponse.class);
	} catch (IOException ioe) {
	LOG.info("Exception refreshing nodes ", ioe);
	RMAuditLogger.logFailure(user.getShortUserName(), "refreshNodes",
	adminAcl.toString(), "AdminService", "Exception refreshing nodes");
	throw RPCUtil.getRemoteException(ioe);
	}
	}

	@Override
	public RefreshSuperUserGroupsConfigurationResponse refreshSuperUserGroupsConfiguration(
	RefreshSuperUserGroupsConfigurationRequest request)
	throws YarnRemoteException {
	UserGroupInformation user = checkAcls("refreshSuperUserGroupsConfiguration");

	ProxyUsers.refreshSuperUserGroupsConfiguration(new Configuration());
	RMAuditLogger.logSuccess(user.getShortUserName(),
	"refreshSuperUserGroupsConfiguration", "AdminService");

	return recordFactory.newRecordInstance(
	RefreshSuperUserGroupsConfigurationResponse.class);
	}

	@Override
	public RefreshUserToGroupsMappingsResponse refreshUserToGroupsMappings(
	RefreshUserToGroupsMappingsRequest request) throws YarnRemoteException {
	UserGroupInformation user = checkAcls("refreshUserToGroupsMappings");

	Groups.getUserToGroupsMappingService().refresh();
	RMAuditLogger.logSuccess(user.getShortUserName(),
	"refreshUserToGroupsMappings", "AdminService");

	return recordFactory.newRecordInstance(
	RefreshUserToGroupsMappingsResponse.class);
	}

	@Override
	public RefreshAdminAclsResponse refreshAdminAcls(
	RefreshAdminAclsRequest request) throws YarnRemoteException {
	UserGroupInformation user = checkAcls("refreshAdminAcls");

	Configuration conf = new Configuration();
	adminAcl = new AccessControlList(conf.get(
	YarnConfiguration.YARN_ADMIN_ACL,
	YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
	RMAuditLogger.logSuccess(user.getShortUserName(), "refreshAdminAcls",
	"AdminService");

	return recordFactory.newRecordInstance(RefreshAdminAclsResponse.class);
	}

	@Override
	public RefreshServiceAclsResponse refreshServiceAcls(
	RefreshServiceAclsRequest request) throws YarnRemoteException {
	Configuration conf = new Configuration();
	if (!conf.getBoolean(
	CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
	false)) {
	throw RPCUtil.getRemoteException(
	new IOException("Service Authorization (" +
	CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION +
	") not enabled."));
	}

	PolicyProvider policyProvider = new RMPolicyProvider();

	refreshServiceAcls(conf, policyProvider);
	clientRMService.refreshServiceAcls(conf, policyProvider);
	applicationMasterService.refreshServiceAcls(conf, policyProvider);
	resourceTrackerService.refreshServiceAcls(conf, policyProvider);

	return recordFactory.newRecordInstance(RefreshServiceAclsResponse.class);
	}

	void refreshServiceAcls(Configuration configuration,
	PolicyProvider policyProvider) {
	this.server.refreshServiceAcl(configuration, policyProvider);
	}

	@Override
	public String[] getGroupsForUser(String user) throws IOException {
	return UserGroupInformation.createRemoteUser(user).getGroupNames();
	}

	}